b'  September 6, 2005\n\n\n\n\nInformation Technology\nManagement\nReport on Defense Information Systems Agency,\nCenter for Computing Services Controls Placed in\nOperation and Tests of Operating Effectiveness\nfor the Period October 1, 2004 through April 30,\n2005 (D-2005-105)\n\n\n\n                  Department of Defense\n              Office of the Inspector General\n\n                                    Constitution of\n                                   the United States\n\n      A Regular Statement of Account of the Receipts and Expenditures of all public\n      Money shall be published from time to time.\n                                                              Article I, Section 9\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, visit the Web site of the Department of\nDefense Inspector General at http://www.dodig.mil/audit/reports or contact the\nSecondary Reports Distribution Unit, Audit Followup and Technical Support at\n(703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact Audit Followup and\nTechnical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\nIdeas and requests can also be mailed to:\n\n                  ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                          Arlington, VA 22202-4704\n\x0c                            INSPECTOR GENERAL\n                           DEPARTMEh\' OF DEFEhSE\n                              400 ARMY NAVY DRIVE\n                         ARLINGTON. VIRGINIA 22202-4704\n\n\n\n                                                                      September 6, 2005\nMEMORANDUM FOR THE Uh\'DER SECRETARY OF DEFENSE\n                 (COMPTR0LLER)ICHIEF FINANCIAL OFFICER\n               DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                 AGENCY\nSUBJECT: Report on Defense Information Systems Agency, Center for Computing\n         Services Controls Placed in Operation and Tests of Operating Effectiveness\n         for the Period October 1, 2004 through April 30, 2005\n         (Report No. D-2005-105)\n\n        We are providing this report for your information and use. No written response to\nthis report is required. Therefore, we are publishing this report in final form.\n       We appreciate the courtesies extended to the staff. Questions should be directed\nto Mr. Michael Perkins at (703) 325-3557 (DSN 221-3557) or Ms. Suzette L. Luecke at\n(703) 428- 1067 (DSN 328- 1067). The team members are listed inside the back cover.\n                               By direction of the Deputy Inspector General for Auditing:\n\n\n                                       g\n                                       Paul\n                                     for\n                                                     l    a. m d\n                                              J. Granetto, CPA\n                                      Assistant Inspector General\n                                      Defense Financial Auditing-\n                                                 Service\n\x0cTable of Contents\n\nForward                                                    i\n\nSection I\n      Independent Service Auditors\xe2\x80\x99 Report                 1\n\nSection II\n      Overview of Operations                               9\n      Overview of Control Environment                     14\n      Information and Communication                       25\n      Control Objectives and Related Control Activities   26\n      User Control Considerations                         26\n\nSection III\n      Entity-wide Security Program                        31\n      Access Control                                      37\n      Software Development and Change Control             50\n      Segregation of Duties                               55\n      Service Continuity                                  59\n\nSection IV\n      Introduction                                        65\n      Security Processes and Other Considerations         69\n      Continuity of Operations Plan                       70\n      Summary                                             71\n\nAcronyms and Abbreviations                                72\n\n\nReport Distribution                                       73\n\x0c                                    FOREWARD\nThis report is intended for the use of Defense Information Systems Agency (DISA)\nmanagement, its user organizations, and the independent auditors of its user\norganizations.\n\nThe DoD Office of Inspector General is implementing a long-range strategy to conduct\naudits of DoD financial statements. The Chief Financial Officer\xe2\x80\x99s Act of 1990\n(P.L. 101-576), as amended, mandates that agencies prepare and conduct audits of\nfinancial statements. The reliability of information processed at DISA sites directly\nimpacts DoD\xe2\x80\x99s ability to produce reliable, and ultimately auditable, financial statements,\nwhich is key to achieving the goals of the Chief Financial Officer\xe2\x80\x99s Act.\n\nThis report focuses on DISA\xe2\x80\x99s Center for Computing Services (CS), an organization that\nprovides computer processing for the entire range of combat support functions; including\ntransportation, logistics, maintenance, munitions, engineering, acquisition, finance,\nmedicine, and military personnel readiness. CS offers computing services on both\nCS-owned and customer-owned platforms to include computer operations, data storage,\nsystems administration, security management, capacity management, system engineering,\nweb and portal hosting, architectural development, and performance monitoring.\n\nThis audit assessed controls over the CS processing environment. The report provides an\nopinion on the fairness of presentation, the adequacy of design, and the operating\neffectiveness of key controls that are relevant to audits of user organization financial\nstatements. As a result, this audit may preclude the need for multiple audits of CS\ncontrols previously performed by user organizations to plan or conduct financial\nstatement and performance audits. This audit will also provide, in separate audit reports,\nrecommendations to management for correction of identified control deficiencies.\nEffective internal control is critical to achieving reliable information for all management\nreporting and decision-making purposes.\n\nThe concept of internal controls is fundamental to this Statement on Auditing\nStandards No. 70 report. Internal control is the process designed to provide reasonable\nassurance that objectives regarding the reliability of financial reporting, the effectiveness\nof operations, and compliance with applicable significant laws and regulations are\nachieved. DISA has imposed internal control standards that require strict compliance\nwith DoD and DISA policies. DISA\xe2\x80\x99s level of compliance with specific aspects of these\nregulations has a direct impact on the accompanying description of internal controls and\nrelated test results.\n\n\n\n\n                                              i\n\x0cSection I: Independent Service Auditors\xe2\x80\x99 Report\n\n\n\n\n                       1\n\x0c\x0c                              INSPECTOR GENERAL\n                              DEPARTMENT OF DEFENSE\n                                400 ARMY NAVY DRIVE\n                           ARLINGTON, VIRGINIA 22202-4704\n\n\n\n                                                                           September 6,2005\n\nMEMORANDIJM FOR THE UNDER SECRETARY OF DEFENSE\n                  (COMPTR0LLER)lCHEF FINANCIAL OFFlCER\n                DIRECTOR, DEFENSE INFORMATION SYSTEMS\n\n\nSUBJECT: Report on Defense Information Systems Agency Controls Placed in\n         Operation and Tests of Operating Effectiveness for the Period October 1,\n         2004 through April 30,2005\n\n\nWe have examined the accompanying description of Defense Infornlation Systems\nAgency (DISA) Center for Computer Services (CS) controls applicable to the Defense\nEnterprise Computing Centers (DECCs) located at Chambersburg, Pennsylvania;\nColumbus, Ohio; Dayton, Ohio; Denver, Colorado; Huntsville, Alabama; Jacksonville,\nFlorida; Mechanicsburg, Pennsylvania; Montgomery, Alabama; Norfolk, Virginia;\nOklahoma City, Oklahoma; Ogden, Utah; Rock Island, Illinois; San Antonio, Texas;\nSan Diego, California; St. Louis, Missouri; and Warner Robins, Georgia. These locations\nand the unclassified technologies (operating systems) resident therein were the sample\npopulation from which tests of specific controls were applied. Our examination included\nproccdurcs to obtain rcasonsblc assurdnrr. about whctl-.cr ( I ) the acrt)nipan)inp\n~icscriptionpresents fairly, in all nidrcrial respects. thc aspccts of ( 3 \' s ~nfornlation\ntechnology (IT) controls that may be relevani to a user organization\'s internal controls as\nit relates to an audit of financial statements; (2) the IT controls included in the description\nwere suitably designed to achieve the control objectives specified in the description, if\nthose controls were complied with satisfactorily, and user organizations applied the\ncontrols contemplated in the design of CS\'s controls; and (3) such controls had been\nplaced in operation as of April 30,2005. The control objectives were specified by the\nOffice of Inspector General, Department of Defense. Our examination was performed in\naccordance with standards established by the American Institute of Certified Public\nAccountants and the standards applicable to financial audits contained in Government\nAuditing Standards issued by the Comptroller General of the United States, and included\nthose procedures we considered necessary in the circumstances to obtain a reasonable\nbasis for rendering our opinion.\n\nAs discussed in the accompanying description, CS did not have control procedures in\nplace to ensure that resource owners identified authorized users and their respective\naccess rights. These deficiencies resulted in controls not being suitably designed to\nachieve control objective AC 2, "Controls provide reasonable assurance that a current list\nof authorized users and their respective access rights are maintained."\n\nAs discussed in the accompanying description, CS did not completely have DoD required\nlogical control procedures in place to fully ensure passwords, tokens, or other devices\nwere used to identify and authenticate users; access paths were identified and access\nauthorizations were appropriately limited; policies and techniques had been implemented\nfor using and monitoring the use of system utilities, as well as for investigating and\nresolving inappropriate or unusual activity; telecommunications were secured; and\ncryptographic tools were used in a secure fashion. These deficiencies resulted in the\nimplementation, monitoring, and enforcement of logical controls not being suitably\n\x0cdesigned to achieve control objective AC 3, \xe2\x80\x9cControls provide reasonable assurance that\nphysical and logical controls to prevent or detect unauthorized access are fully\nestablished and access to and use of system software is monitored.\xe2\x80\x9d\n\nAs discussed in the accompanying description, control procedures in place by CS did not\nfully ensure audit trails were always maintained and actual or attempted unauthorized,\nunusual, or sensitive access was fully monitored. These deficiencies resulted in controls\nnot being suitably designed to achieve control objective AC 4, \xe2\x80\x9cControls provide\nreasonable assurance that access is monitored, apparent security violations are\ninvestigated, and appropriate remedial action is taken.\xe2\x80\x9d\n\nIn our opinion, the accompanying description of the aforementioned controls presents\nfairly, in all material respects, the relevant aspects of CS controls that had been placed in\noperation as of April 30, 2005. Also, in our opinion, except for the matters described in\nthe preceding paragraphs, the controls, as described, were suitably designed to provide\nreasonable assurance that the specified control objectives would be achieved if the\ndescribed controls were complied with satisfactorily.\n\nCS states in its description of controls that all security risks are periodically assessed\nagainst federal requirements. Tests of operating effectiveness indicated that not all risk\nassessments fully conformed to the Field Security Operations (FSO) Risk Analysis\nGuide. As a result, the control objective SP 1, \xe2\x80\x9cControls provide reasonable assurance\nthat security risks are periodically assessed,\xe2\x80\x9d was not achieved.\n\nCS states in its description of controls that all security plans are kept current. Tests of\noperating effectiveness indicated that not all security plans incorporated current guidance\nprovided by DoD Instruction 8500.2, the DISA Computing Services Handbook, and\nOffice of Management and Budget (OMB) Circular A-130 Appendix III. As a result,\ncontrol objective SP 2, \xe2\x80\x9cControls provide reasonable assurance that an entity-wide\nsecurity program plan is documented, approved, and kept current,\xe2\x80\x9d was not achieved.\n\nCS states in its description of controls that owners and users are aware of security\npolicies and that an incident response capability has been fully implemented. Tests of\noperating effectiveness indicated that not all sites had an effective security awareness\nprogram that provided guidance to users regarding the importance of security, not all\nsites had procedures implemented to determine that employees and contractors completed\na nondisclosure agreement form to evidence their understanding and acceptance of\nconfidential information disclosure restrictions and requirements, and not all site\npersonnel were familiar with their responsibilities for intrusion detection and incident\nresponse. As a result, control objective SP 3, \xe2\x80\x9cControls provide reasonable assurance\nthat a security management structure is established and security responsibilities are\nclearly assigned,\xe2\x80\x9d was not achieved.\n\nCS states in its description of controls that hiring, transfer, termination, and performance\npolicies address personnel security and that employees have adequate training and\nexpertise. Tests of operating effectiveness indicated that not all sites implemented formal\npolicies for debriefing and removing access of terminated employees, not all sites\nprovided appropriate training for personnel to perform their duties, and not all sites\nmaintained documentation of employee training and professional development activities.\nAs a result, control objective SP 4, \xe2\x80\x9cControls provide reasonable assurance that effective\nsecurity-related personnel policies have been implemented,\xe2\x80\x9d was not achieved.\n\nCS states in its description of controls that authorizations for software modifications are\ndocumented and maintained and the use of public domain and personal software is\n\n                                              4\n\x0crestricted. Tests of operating effectiveness indicated that not all sites always documented\nconfiguration change request authorizations and not all sites restricted the use of\nunapproved and unaccredited software. As a result, control objective CC 1, \xe2\x80\x9cControls\nprovide reasonable assurance that processing features and program modifications are\nproperly authorized,\xe2\x80\x9d was not achieved.\n\nCS states in its description of controls that changes are controlled as software progresses\nthrough testing to final implementation. Tests of operating effectiveness indicated that\nnot all sites restricted programmers\xe2\x80\x99 access to the production environment, and not all\nsites maintained adequate audit trails or logs for identified systems. As a result, control\nobjective CC 2, \xe2\x80\x9cControls provide reasonable assurance that all new and revised software\nincluding system software are tested and controlled,\xe2\x80\x9d was not achieved.\n\nCS states in its description of controls that movement of programs and data among\nlibraries is controlled. Tests of operating effectiveness indicated that not all sites had\ncomplete procedures for movement of program code between libraries, as well as\ncomplete documentation and approval processes. As a result, control objective CC 3,\n\xe2\x80\x9cControls provide reasonable assurance that software libraries are controlled,\xe2\x80\x9d was not\nachieved.\n\nCS states in its description of controls that data and program backup procedures and\nenvironmental controls have been implemented. Tests of operating effectiveness\nindicated that not all sites had formal tape backup procedures that were being\nconsistently followed; performed backup verifications; procedures to recover backups\nstored off-site; procedures to control physical access to off-site locations; sufficient\nenvironmental controls; and trained environmental personnel. As a result, control\nobjective SC 2, \xe2\x80\x9cControls provide reasonable assurance that data and program backup\nprocedures and environmental controls have been implemented,\xe2\x80\x9d was not achieved.\n\nIn addition to the procedures we considered necessary to render our opinion as expressed\nin the previous paragraph, we applied tests to specific controls, listed in section III, to\nobtain evidence about their effectiveness in meeting control objectives, described in\nsection III, during the period from October 1, 2004 to April 30, 2005. The specific\ncontrols and the nature, timing, extent, and results of the tests are listed in section III.\nThis information has been provided to user organizations of CS and to their auditors to be\ntaken into consideration, along with information about the internal control of user\norganizations, when making assessments of control risk for user organizations.\n\nIn our opinion, except for the deficiencies listed in the preceding paragraphs, the controls\nthat were tested, as described in section III, were operating with sufficient effectiveness\nto provide reasonable, but not absolute, assurance that the control objectives specified in\nsection III were achieved during the period from October 1, 2004 to April 30, 2005;\nhowever, the scope of our engagement did not include tests to determine whether control\nobjectives not listed in section III were achieved; accordingly, we express no opinion on\nthe achievement of control objectives not listed in section III.\n\nThe relative effectiveness and significance of specific controls at CS and their effect on\nassessments of control risk at user organizations are dependent on their interaction with\nthe controls and other factors present at individual user organizations. We performed no\nprocedures to evaluate the effectiveness of controls at individual user organizations.\n\nThe description of controls at CS is as of April 30, 2005, and the information about tests\nof the operating effectiveness of specific controls covers the period from October 1, 2004\nto April 30, 2005. Any projection of such information to the future is subject to the risk\n\n                                              5\n\x0cthat, because of change, the description may no longer portray the controls in existence.\nThe potential effectiveness of specific controls at CS is subject to inherent limitations\nand, accordingly, errors or fraud may occur and not be detected. Furthermore, the\nprojcction of any conclusions, based on our findings, to future periods is subject to the\nrisk that changes made to the system or controls, or the failure to make needed changes to\nthe system or controls, may alter the validity of such conclusions.\n\nThe information in section N describing CS\'s transformation plans, as well as plans to\nmodify service continuity plans, is presented by CS to provide additional information and\nis not part of CS\'s description of controls that may be relevant to a user organization\'s\ninternal control. Such information has not been subjected to the procedures applied in the\nexamination of the description of controls applicable to the processing of transactions for\nuser organizations and, accordingly, we express no opinion on it.\n\n                               By direction of the Deputy Inspector General for Auditing:\n\x0cSection II: Information Provided by DISA\n\n\n\n\n                   7\n\x0c\x0cA.         Overview of Operations\nDefense Information Systems Agency\n\nDISA is a combat support agency responsible for planning, engineering, acquiring,\nfielding, and supporting global net-centric solutions to serve the needs of the President,\nVice President, the Secretary of Defense, and other DoD Components, under all\nconditions of peace and war. DISA is the provider of global net-centric solutions for the\nnation\'s warfighters and all those who support them in the defense of the nation. The\ncore services are Acquisition, CS 1 , Enterprise Services, Network Operations, Network\nServices, Net-Centric Enterprise Services, and Global Information Grid (GIG) -\nBandwidth Expansion. Chart 1 provides the organizational structure of DISA.\n\n                                 Chart 1. Defense Information Systems Agency\n\n\n                                                                                           Senior\n                                                                  Director                Enlisted\n                                                                                          Advisor\n                                        Chief of                                                                     Chief\n                                         Staff                                                                     Technology\n                                                                                                                     Officer\n\n                Congressional\n                   Affairs              Protocol\n                                                               Vice Director            Component                     NCES\n                                                                                        Acquisition                  Program\n                                                                                         Executive                    Office\n               Inspector General\n\n\n\n                                                                                          GIG-BE\n                EEO & Cultural                                                            Program\n                  Diversity                                                                Office\n\n                                                                                                                Chief Financial\n                                                                                                             Executive/Comptroller\n               General Counsel\n                                           White House                           White House\n                                             Situation                          Communication\n                                                                                                             Manpower, Personnel,\n                                           Support Staff                           Agency\n                                                                                                            and Security Directorate\n                NSA Liaison to\n                   DISA\n                                                                                                              Strategic Planning and\n                                             GIG                                                              Information Directorate\n                                          Enterprise            GIG Combat              GIG\n                   Small &\n                                           Services               Support            Operations\n                Disadvantaged\n                                         Engineering            Directorate          Directorate\n                   Business\n                  Utilization            Directorate                                                        Procurement & Logistics\n                                                                                                               Directorate/DITCO\n\n\n                  Defense                                       Center for             Field\n               Spectrum Office                                  Computing             Security\n                                                                 Services            Operations\n                                                                                      Division\n\n                  Director for\n                    Testing                                NCES - Net-Centric Enterprise Services\n                                                           GIG - Global Information Grid\n                                                           BE - Bandwidth Expansion\n                                                           EEO - Equal Employment Opportunity\n               Reserve Forces                              NSA - National Security Agency\n                                                           DITCO - Defense Information Technology Contracting Organization\n\n\n\n\n1\n    Previously called Computing Services Directorate (CSD)\n\n\n\n                                                                      9\n\x0cThis report focuses on CS, under the GIG Combat Support Directorate. The FSO, under\nthe GIG Operations Directorate, and other DISA organizations that support the CS are\nincluded only as they support the CS.\n\nCenter for Computing Services\n\nThe CS provides computer processing for the entire gamut of combat support functions,\nincluding transportation, logistics, maintenance, munitions, engineering, acquisition,\nfinance, medicine, and military personnel readiness. With more than 800,000 users, CS\noperates over 1,400 applications in 18 geographically separate facilities utilizing more\nthan 40 mainframes and 3,000 servers. The supported applications: 1) provide command\nand control of warfighting forces, 2) facilitate mobility of the warfighters through\nmaintenance of the airlifter and tanker fleets, 3) provide warfighter sustainment through\nresupply and reorder, and 4) manage the medical environment and patient care.\n\nCS features diverse locations, a defense-in-depth philosophy, and dual high-capacity\nDefense Information System Network connectivity. CS also utilizes automated systems\nmanagement to control computing resources and realize economies of scale. CS has\nadopted assured computing philosophies and implemented initiatives in the Unisys and\nIBM mainframe environments to ensure that information and mission critical applications\nare continuously available to customers. Such initiatives include facility upgrades,\nimproved software and equipment availability, diverse and redundant communications,\nand measures to remotely replicate data. Assured computing, coupled with the ability to\nrapidly increase processing and storage capacity via utility contracts, enables DISA to\nprovide the availability and surge capabilities that customers require.\n\nCS offers computing services on both DISA-owned and customer-owned platforms.\nComputing services include computer operations, data storage, systems administration,\nsecurity management, capacity management, system engineering, web and portal hosting,\narchitectural development, and performance monitoring. Computing services are\nprovided by a highly skilled workforce and performed in state-of-the-art computing\nfacilities strategically located throughout the continental United States; Stuttgart,\nGermany; and Pearl Harbor, Hawaii. DISA facilities are operational 24 hours a day,\n7 days a week, 365 days a year, and support both unclassified and classified computing\nenvironments. Services are available to the Services, Defense agencies, and combatant\ncommanders. Chart 2 provides the organizational structure of CS.\n\nHeadquarters. The primary headquarters is located in Falls Church,Virginia. There are\nother headquarters elements located in Chambersburg, Denver, Dayton, and Pensacola,\nFlorida 2 . There is a Director, Deputy Director, Chief of Staff, and two Special Advisors\n(one business and one technical), and the following five Divisions.\n\n       Business Management Center. The Business Management Center provides\nbudgeting, resource management, manpower, personnel, training, business proposals, and\nService Level Agreements. There are three primary elements: CS Headquarters, the Blue\nRidge Center located in Chambersburg, and the Rocky Mountain Center located in\nDenver.\n\n       Programs & Implementation Division. The Programs & Implementation\nDivision manages and directs assigned programs for CS. Programs include the migration\n\n2\n    The office in Pensacola provides financial services and technical support and coordinates all transactions\n    between the Business Management Centers and Defense Finance and Accounting Service.\n\n\n\n                                                       10\n\x0cof legacy systems to standard systems, standard business practices, and definition of\noperational acquisition requirements. The Division Chief sets policy and procedures for\nCS project management, and has subordinate branches for Implementation Support,\nMainframe, Mid-Tier, and Communications. This division also has liaison personnel\nlocated at each of the System Management Centers (SMCs).\n\n                              Chart 2. Center for Computing Services\n\n\n                                  Enterprise                 Director\n                                 Economics &                                                  Chief of Staff\n                                  Acquisition                                              Executive Secretary\n                                                         Deputy Director\n                                                                                          Management Assistant\n                                                                                          Administrative Assistant\n\n\n\n\n            Business               Programs &            Operations                                              Engineering &\n           Management            Implementation           Division                   Logistics Division           Architecture\n             Center                  Division                                                                       Division\n\n\n\n\n                                            DECC-PE                                    DECC -SMC\n                                             Denver                                   Mechanicsburg\n\n\n                   DECC-PE\n                  Jacksonville                                                       DECC-SMC/CCC\n                                            DECC-PE                                   Oklahoma City\n                                          Chambersburg\n                   DECC-PE\n                  Rock Island                                                        DECC-SMC/CCC\n                                                                                       Montgomery\n                                           DECC-PE\n                                          Warner Robin\n                                                                                       DECC-SMC\n                   DECC-PE                                                               Ogden\n                    Norfolk\n                                            DECC-PE\n                                            San Diego                                     DECC\n                   DECC-PE                                                                Europe\n                    Dayton\n\n\n                                            DECC-PE                                       DECC\n                                            Huntsville                                    Pacific\n\n\n                  DECC-ISC\n                  San Antonio                                           DECC - Defense Enterprise Computing Center\n                                            DECC-ISC                    SMC - Systems Management Center\n                                             St. Louis                  CCC - Communication Control Center\n                                                                        PE - Processing Element\n                   DECC-ISC                                             ISC - Infrastructure Services Center\n                   Columbus                                             _______ Direct Control\n                                                                        __ __ __ Operational Control\n\n\n\n\n       Engineering and Architecture Division. The Engineering and Architecture\nDivision conceives and develops alternative architectural strategies for adding new\ncomputer and telecommunications technologies into systems to increase system security,\nsurvivability, interoperability, endurance, and sustainability. This division directs and\nperforms complex system engineering trade-off analyses for technology and facilities.\nThis division has elements located at Falls Church and Denver.\n\n        Logistics Division. The Logistics Division advises the Director of CS on all\nlogistics, acquisition, and facilities management issues and provides command direction\nand guidance to execute integrated logistics support for assigned activities and systems.\n\n                                                           11\n\x0cThis division manages logistics support for assigned operational elements of the Defense\nInformation Infrastructure for the Directors of DISA and CS. This division provides\nmatrixed, cost-effective, integrated life cycle logistics and acquisition support services to\nCS. This division has offices in Chambersburg, Denver, and Dayton. The Logistics\nDivision also has a liaison officer in each of the four SMCs.\n\n       Operations Division. The Operations Division advises the Director of CS on all\nprincipal operations and has the overall responsibility for issuing operations and security\nstandards, policies, plans, standard business processes, and standard operating\nprocedures. This division:\n\n   \xe2\x80\xa2   Tasks other CS elements as required to achieve the CS mission.\n\n   \xe2\x80\xa2   Manages and assesses operations and security of all assigned DISA information\n       processing, communications, and network systems.\n\n   \xe2\x80\xa2   Provides appropriate assets in response to contingencies and exercises.\n\n   \xe2\x80\xa2   Oversees the overall operational performance and effectiveness of the Defense\n       Information Infrastructure efforts implemented within CS as well as assigned\n       systems.\n\n   \xe2\x80\xa2   Develops and maintains CS programs for configuration management, executive\n       software, capacity management, incoming projects, and contingency operations.\n\n   \xe2\x80\xa2   Manages the Network Operations for CS and integrates it into the DISA Network\n       Operations program.\n\nThe Operations Division is organized in three layers \xe2\x80\x93 headquarters-level policy and\nplans, headquarters-level centralized operations, and direct operations. The direct\noperations layers include the operating sites and the Communications Control Centers\n(CCCs).\n\n              Operating Sites. The operating sites are called DECCs. The DECCs in\nthe Continental United States are divided into the following functional designations.\n\n                   1) System Management Centers (SMCs). The primary\n                      responsibility of each SMC is systems management and customer\n                      support functions for the mainframe and server computing\n                      environments. The SMCs are located in Mechanicsburg,\n                      Montgomery, Ogden, and Oklahoma City.\n\n                   2) Infrastructure Services Centers (ISCs). The ISCs perform\n                      system management for specialized fielding efforts from CS\n                      customers. The ISCs are located at Columbus and San Antonio.\n\n                   3) Processing Elements (PEs). Facility management, hardware\n                      support, physical security, touch labor for communication devices,\n                      and touch labor for media management are the primary\n                      responsibilities for each PE. The PEs are located in\n                      Chambersburg, Dayton, Denver, Huntsville, Jacksonville, Norfolk,\n                      Rock Island, San Diego, and Warner Robins.\n\n\n\n                                             12\n\x0c                  4) Legacy DECC. As a Legacy DECC, St. Louis has retained\n                     limited mainframe management and customer support functions.\n                     Until further optimization is completed, DECC St. Louis will have\n                     both SMC and PE responsibilities.\n\n               Communications Control Centers. The CCCs manage all classified and\nunclassified network devices. The CCCs are located at DECCs Montgomery and\nOklahoma City.\n\nInformation Assurance Support\n\nAlmost all of the DISA elements interact with CS to some degree. The following DISA\nelements have the greatest IA interaction with CS.\n\n        Chief Information Officer (CIO). The CIO provides staff support in\naccomplishing Information Resources Management duties, mandated by the\nClinger-Cohen Act. The CIO develops Information Resources Management and IT\npolicies, performs IT management strategic planning, and incorporates and disseminates\narchitecture and standards guidance, as well as IT investment criteria. The CIO advises\non acquisitions for DISA IT and coordinates with Office of the Secretary of Defense on\nInformation Resources Management, IT, and IT acquisition matters. The CIO is the\nDesignated Approving Authority (DAA) for DISA owned and operated internal IT\nenclaves and networks. The CIO manages the agency-wide programs for Privacy Act\nand records management, and manages implementation of the DISA Electronic Business\nand Electronic Commerce.\n\n        Field Security Operations. The mission of FSO is to provide information\nsystems, network security products, and direct funding and reimbursable services\nthroughout DoD, including the combatant commands, the Services, and Defense\nagencies. The FSO supports the National Command Authority, combatant commanders,\nJoint Task Force Computer Network Operations, the Services, and Defense agencies\nthrough Global Network Operations, Computer Emergency Response Capabilities, and\nInformation System Security Services. The FSO provides such support by directing,\nmanaging, and protecting critical elements of the GIG. In this capacity, the FSO is the\nCertifying Authority for the DISA DAA. The FSO:\n\n       \xe2\x80\xa2   develops, implements, and maintains security guidance and processes;\n       \xe2\x80\xa2   conducts full scope security reviews and provides assistance to combatant\n           commands, Directorates, Office of the Secretary of Defense, and DISA;\n       \xe2\x80\xa2   provides certification and accreditation support;\n       \xe2\x80\xa2   provides security training, security training products, and system\n           administrator (SA) certification;\n       \xe2\x80\xa2   implements security architecture and IA Tools;\n       \xe2\x80\xa2   provides specialized security database support;\n       \xe2\x80\xa2   provides security staff support to DISA Global Operations and CS;\n       \xe2\x80\xa2   provides Regional Computer Emergency Response Team support; and\n       \xe2\x80\xa2   provides Information Assurance Representatives to combatant commands.\n\n\n\n\n                                          13\n\x0cIn addition, FSO provides the following support to CS;\n\n       \xe2\x80\xa2   serves as Information Assurance Manager (IAM) and provides guidance and\n           advice to the Director of CS, his staff, and personnel on IA, communications,\n           and emanation security;\n       \xe2\x80\xa2   serves as the Security Manager (SM) and provides guidance and advice to the\n           Director of CS, his staff, and personnel on physical, industrial, personnel, and\n           information security and security management;\n       \xe2\x80\xa2   provides technical support on IA to the CS Engineering and Architecture,\n           Programs and Implementation, and Operations Divisions;\n       \xe2\x80\xa2   develops IA and traditional security solutions for the Business Management\n           Center for the development of business proposals;\n       \xe2\x80\xa2   develops and maintains IA and traditional security policies and procedures for\n           CS;\n       \xe2\x80\xa2   prepares and maintains PE Security Plans and Security Standard Operating\n           Procedures;\n       \xe2\x80\xa2   develops, prepares, and maintains the System Security Authorization\n           Agreement documents for the ISCs and PEs;\n       \xe2\x80\xa2   provides advice to the IA staff of the SMCs on the preparation of their\n           respective System Security Authorization Agreements; and\n       \xe2\x80\xa2   prepares Security Technical Implementation Guides (STIGs) applicable to all\n           DECCs.\n\nB.     Overview of Control Environment\nIA controls are layered and are applied through procedures and physical applications.\nControls are employed to protect resources from theft, loss, damage, inadvertent\ndisclosure, compromise, and deliberate attempts to gain access by forced or surreptitious\nmeans. Protection is accomplished through the employment of countermeasures to deter,\ndelay, detect, assess, and respond to unauthorized activity.\nCS has the responsibility of providing core services and meeting the CS customer\nexpectations through professional and consistent operations services and standard\nimplementation of proven industry best practices. CS is responsible for continual\nrefinement and analysis of operations performance metrics and practices to identify and\nimplement opportunities for improvement in the execution of core operations services\nand maintaining the integrity of the security posture of the operations environment.\nSecurity Management\n\nSecurity Review Program Guidance. In general, security review programs focus on\nmanagement actions that establish the DAA and the processes that support the\naccreditation of an automated information system. DoD implemented the OMB Circular\nA-130 requirements for a security program through DoD Instruction 5200.40, \xe2\x80\x9cDoD\nInformation Technology Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d\nDecember 30, 1997, and other DoD policies. DISA Instruction 630-230-19, \xe2\x80\x9cAutomated\nData Processing Information Systems Security Program,\xe2\x80\x9d July 9, 1996, prescribes policy\nand assigns responsibilities for implementing, managing, and maintaining the DISA\n\n\n                                            14\n\x0cInformation Systems Security Program and implements the DoD programs, including\nDITSCAP and designation of DAA. The DITSCAP and resultant Certification and\nAccreditation program are major components of DISA\xe2\x80\x99s security review program.\n\nSecurity Control Program at the DECCs. The DISA Computing Services Security\nHandbook Version 3, Change 1, December 2000; the Information Assurance\nVulnerability Alert Handbook; and the STIGs, primarily covers the DoD, Federal\n(OMB), and DISA requirement for the primary operational-level guidance for\nimplementation of automated information system security controls. The DECC security\nmanagement organization structure and general business practices support the security\nprogram, including review of security controls.\n\nSecurity Roles and Responsibility\n\nDISA DAA/CIO. The DISA DAA/CIO retains the overall responsibility for the\nCertification and Accreditation as it pertains to the DITSCAP process of the CS sites.\n\nCS IAM. The CS IAM provides guidance and advice to CS on IA, communications, and\nemanation security. This position is located within the FSO, but is matrixed to CS. The\nCS IAM reports to the Chief of Operations on security matters. In those cases where\nthere is a disagreement relating to security, the CS IAM can go directly to the Deputy\nDirector or Director of CS.\n\nCS SM. The CS SM provides guidance and advice to the Director of CS, his staff, and\npersonnel on physical, industrial, personnel, and information security, as well as security\nmanagement. This position is located within the FSO, but is matrixed to CS. The CS\nSM reports to the Chief of Operations on security matters. In those cases where there is a\ndisagreement relating to security, the CS SM can go directly to the Deputy Director or\nDirector of CS.\n\nSite IAM. IAMs at the sites report to the Deputy Director or Director of the site. The\nIAM responsibilities are as follows:\n\n       \xe2\x80\xa2   develop and maintain an organization or DoD information system-level IA\n           program that identifies IA architecture, requirements, objectives and policies;\n           personnel; and processes and procedures;\n\n       \xe2\x80\xa2   ensure that information ownership responsibilities are established for each\n           DoD information system, to include accountability, access approvals, and\n           special handling requirements;\n\n       \xe2\x80\xa2   ensure the development and maintenance of IA certification documentation\n           according to DoD Instruction 5200.40, by reviewing and endorsing such\n           documentation, and recommending action to the DAA;\n\n       \xe2\x80\xa2   maintain a repository for all IA certification and accreditation documentation\n           and modifications;\n\n       \xe2\x80\xa2   ensure that Information Assurance Officers (IAOs) are appointed in writing,\n           as required, and provide oversight to ensure that they are following\n           established IA policies and procedures. In addition to meeting all access\n           requirements specified in DoD Directive 8500.1, all newly appointed IAOs\n           shall be U.S. citizens. Foreign nationals who are direct or indirect hires and\n           are currently appointed as IAOs may continue in these positions provided they\n\n                                            15\n\x0c           satisfy the provisions of DoD Directive 8500.1, are under the supervision of\n           an IAM who is a U.S. citizen; and are approved in writing by the DAA.\n           When circumstances warrant, a single individual who is a U.S. citizen may fill\n           both the IAM and the Information Assurance Officer (IAO) roles;\n\n       \xe2\x80\xa2   ensure that all IAOs and privileged users receive the necessary technical and\n           IA training, education, and certification to carry out their IA duties;\n\n       \xe2\x80\xa2   ensure that compliance monitoring occurs, and review the results of such\n           monitoring;\n\n       \xe2\x80\xa2   ensure that IA inspections, tests, and reviews are coordinated;\n\n       \xe2\x80\xa2   ensure that all IA management review items are tracked and reported;\n\n       \xe2\x80\xa2   ensure that incidents are properly reported to the DAA and the DoD reporting\n           chain, as required, and responses to IA-related alerts are coordinated; and\n\n       \xe2\x80\xa2   act as the primary IA technical advisor to the DAA and formally notify the\n           DAA of any changes impacting the DoD information system\'s IA posture.\n\nSite IAO. IAOs at the sites report to the IAMs of the site. The IAO responsibilities are\nas follows:\n\n       \xe2\x80\xa2   assist the IAM in meeting the duties and responsibilities outlined above;\n\n       \xe2\x80\xa2   ensure that all users have the requisite security clearances and supervisory\n           need-to-know authorization, and are aware of their IA responsibilities before\n           being granted access to any DoD information system;\n\n       \xe2\x80\xa2   initiate protective or corrective measures, in coordination with the IAM, when\n           an IA incident or vulnerability is discovered;\n\n       \xe2\x80\xa2   ensure that IA and IA-enabled software, hardware, and firmware comply with\n           appropriate security configuration guidelines;\n\n       \xe2\x80\xa2   ensure that DoD information system recovery processes are monitored and\n           that IA features and procedures are properly restored;\n\n       \xe2\x80\xa2   ensure that all DoD information system IA-related documentation is current\n           and accessible to properly authorized individuals; and\n\n       \xe2\x80\xa2   implement and enforce all DoD information system IA policies and\n           procedures, as defined by its security certification and accreditation\n           documentation.\nRisk Assessments\n\nCS implemented a risk assessment process to identify and manage risks that could affect\ncustomer organizations. This process requires a formal risk assessment, which is part of\nthe System Security Authorization Agreement. The process also includes an external and\ninternal compliance validation and procedures to maintain an acceptable level of risk.\n\n\n\n                                            16\n\x0cFormal Risk Assessment. The FSO prepares the formal risk assessment for each CS\nsite. The threat is determined by validating countermeasures that have been implemented\nto determine the residual risk. Various tools are used to validate the effectiveness of the\nimplemented countermeasures, including the SRR and the vulnerability scan used to\ndetermine the effectiveness of the network, systems, physical, personnel, information,\nand industrial security procedural countermeasures. These can be conducted by the FSO\nor as self-assessments performed by site personnel. Environmental and facility reviews\nconducted by CS Facility Engineers are used to determine the effectiveness of facility\nand environmental countermeasures. Various Federal Emergency Management Agency\nweb sites are used to determine weather, climatic, and natural threats.\n\nThe IAMs for DECCs are responsible for reviewing and identifying pen and pencil\nchanges to risk assessment documents on an annual basis. If there are no changes noted,\nthe formal risk assessment document is not re-dated or re-signed. The CS IAM is\nresponsible for reviewing and making changes to the DECC PEs risk assessment\ndocuments as they occur. The formal risk assessment is a required appendix to the\nSystem Security Authorization Agreement under the DITSCAP by DISA DAA (the\nDISA CIO). A complete formal review and documented risk assessment is only\nconducted every three years 3 .\n\nMission Assurance Category. The mission assurance category (MAC) reflects the\nimportance of information relative to the achievement of DoD goals and objectives,\nparticularly the warfighter combat mission. MACs are the basis for determining\navailability and integrity control requirements. DoD has three defined MACs.\n\n       \xe2\x80\xa2   MAC I. Systems handling information that is vital to the operational readiness or\n           mission effectiveness of deployed and contingency forces in terms of both content\n           and timeliness. The consequences of loss of integrity or availability of a MAC I\n           system are unacceptable and could include the immediate and sustained loss of\n           mission effectiveness. MAC I systems require the most stringent protection\n           measures.\n\n       \xe2\x80\xa2   MAC II. Systems handling information that is important to the support of\n           deployed and contingency forces. The consequences of loss of integrity are\n           unacceptable. Loss of availability is difficult to deal with and can only be\n           tolerated for a short time. The consequences could include delay or degradation\n           in providing important support services or commodities that may seriously impact\n           mission effectiveness or operational readiness. MAC II systems require\n           additional safeguards beyond best practices to ensure assurance.\n\n       \xe2\x80\xa2   MAC III. Systems handling information that is necessary for the conduct of\n           day-to-day business, but does not materially affect support to deployed or\n           contingency forces in the short-term. The consequences of loss of integrity or\n           availability can be tolerated or overcome without significant impacts on mission\n           effectiveness or operational readiness. The consequences could include the delay\n           or degradation of services or commodities enabling routine activities. MAC III\n           systems require protective measures, techniques, or procedures generally\n           commensurate with commercial best practices.\n\n\n\n3\n    As a result of the transformation, most of the formal risk assessments will need to be updated to reflect\n    the new environment.\n\n\n\n                                                        17\n\x0cCompliance Validation\n\nDISA compliance validation is conducted both externally by the FSO and within CS\nusing automated scripts and the IA connection approval process. The results are\nmaintained in the Vulnerability Management System (VMS) and Security Automated\nDatabase databases. CS categorizes the findings or vulnerabilities into four categories,\nbased on severity.\n\n   \xe2\x80\xa2   Finding Category I. Any vulnerability that may result in a total loss of\n       information or which provide an unauthorized person or software immediate\n       access into a system, gains privileged access, bypasses a firewall, or results in a\n       denial of service.\n\n   \xe2\x80\xa2   Finding Category II. Any vulnerability that provides information that has a high\n       potential of giving access to an unauthorized person, or provides an unauthorized\n       person the means to circumvent security controls.\n\n   \xe2\x80\xa2   Finding Category III. Any vulnerability that provides information that\n       potentially could lead to an unauthorized access.\n\n   \xe2\x80\xa2   Finding Category IV. Any vulnerability that is all other possibilities that\n       contributes to degraded security.\n\nExternal Compliance Validation. The external compliance validation is conducted by\nthe FSO. Because of the number and size of the sites, a complete review of each site\ncannot be made on an annual basis. The complete review is conducted during a\nthree-year cycle to coincide with the formal accreditation cycle. The number of FSO\nvisits is dependent on reviewing thirty-three percent of each site\xe2\x80\x99s assets on an annual\nbasis. Per DITSCAP, accreditation decisions are made for a maximum of a three-year\nperiod. Annual reviews conducted by the FSO are known as Information Assurance\nReadiness Reviews. The Information Assurance Readiness Review includes a review of\nprocedures, documentation, SRRs, and a vulnerability or penetration scan. All\nInformation Assurance Readiness Review results are entered into VMS and briefed to the\nresponsible senior management and security staff as well as the Director, CS.\n\nSystem Readiness Reviews. The SRRs are manual (the traditional SRR) or automated\nchecks (the technical SRR).\n\n       Traditional SRR. The traditional SRR determines whether policies and\nprocedures on physical, information, personnel, industrial, communications, and\nemanations comply with DoD regulations and DISA instructions. It also validates\nwhether policies and procedures are correctly and adequately implemented.\n\n        Technical SRR. The technical SRR uses automated checks of network devices,\nfirewalls, intrusion detection systems, operating systems, databases, and web applications\nto verify that standard configuration settings are in accordance with applicable STIGs.\n\n        Vulnerability Scans. The Vulnerability Assessment Process utilizes a\ncommercial automated scanning tool, Internet Security Scan, that checks for known or\ndemonstrated vulnerabilities. The scan is a two-step process. The first step is external to\nthe perimeter of the enclave and determines the robustness of perimeter defenses. The\nsecond step is internal of the perimeter of the enclave and determines the robustness of\nthe defense of each device within the enclave. Scan results, when associated with the\ncommunications, server, database, and web applications running on a device, have been\n\n                                            18\n\x0cadapted to feed into the SRR database, which is a part of the VMS database. Where\nfindings from the scan cannot be associated with a specific device, it is called a\nVulnerability Assessment Process Report and is associated with the network of that\nenclave.\n\nInternal Compliance Validation. There are two internal compliance validation\nprocesses. The first validation process is an automated review process that utilizes\nscripts developed by the FSO to test server compliance. Server operating systems\nmanaged locally and remotely by SMCs Mechanicsburg, Montgomery, Ogden, and\nOklahoma City are subject to self-assessment automated scripts that are run on a weekly\nbasis. The results are posted to the Security Automated Database and remediation\nactions are tracked. The results of the reviews are forwarded to the appropriate SAs and\ntheir supervisors.\n\nThe second validation process is the IA connection approval process. The IA connection\napproval process uses FSO SRR scripts and checklists for servers, databases, and web\nservices to complete self-assessments of new servers or software upgrades. The\nself-assessment results are fed into the SRR database and are forwarded to the connection\napproval authority for review and approval. To obtain approval, servers, databases, or\nweb services must have no open Category I findings as the results of the FSO SRR\nscripts and checklists, and at least 90-95 percent compliance 4 with all possible Category\nII and III findings. The senior person at the DECC SMC, and DECC ISC is the\napproving authority for those organizations. The CS, Chief of Operations, is the\napproving authority for all DECC PEs and all CS Headquarters Divisions.\n\nVulnerability Databases. CS uses two databases to track vulnerabilities, VMS and\nSecurity Automated Database. VMS is maintained by the FSO, while the Security\nAutomated Database is maintained by SSO Montgomery. The two databases do not\nshare information at this time.\n\n        Vulnerability Management System. VMS is a DoD and DISA vulnerability\nmanagement system. The DoD portion of the system is a database known as the\nInformation Assurance Vulnerability Management database. The Information Assurance\nVulnerability Management database is used by DoD to track acknowledgement and\ncompliance with alerts released under the Information Assurance Vulnerability\nManagement program as directed by Chairman of Joint Chiefs of Staff\nInstruction 6510-01D. The DISA portion of VMS has two databases; one is the SRR\ndatabase and the other is the Vulnerability Compliance Tracking System database.\n\n                SRR Database. The SRR database identifies SRR findings, tracks\nremediation of those findings, and has an automated waiver process for findings that\ncannot be fixed within an established timeframe. The CS IAM is responsible for\nchecking VMS to determine who reviews open SRR findings and determines what the\nplan of action is to remediate the findings. The CS IAM also reviews requests for\nwaivers to open SRR findings and renders a concurrence decision to the DISA approving\nauthority.\n\nThe timeframe for correcting findings is 5 days or immediately for Category I, 180 days\nfor Category II, and 270 days for Category III and IV vulnerabilities. The CS IAM\nnotifies the responsible site IAM of any concerns and assets that are not in compliance\n\n\n4\n    The percentage varies based on the technology.\n\n\n\n                                                     19\n\x0cwithin allotted timeframes. The status of open Category I findings and findings that are\nnot in compliance within the allotted timeframes are briefed to the Director, CS and\nprimary CS staff 5 on a weekly basis.\n\n               Vulnerability Compliance Tracking System database. The\nVulnerability Compliance Tracking System database tracks DISA\xe2\x80\x99s acknowledgement\nand compliance with the DoD Information Assurance Vulnerability Management 6\nprogram. Vulnerability Compliance Tracking System has a registry of all assets with\nassociated operating systems and utility software, and identifies the owner of the asset\nand the responsible primary and alternate SAs. As alerts are released in the Information\nAssurance Vulnerability Management program, the Vulnerability Compliance Tracking\nSystem notifies the SA and IAM of alert by email. The SA is responsible for\nacknowledging receipt of the notification and updating the status of Information\nAssurance Vulnerability Management releases in the Vulnerability Compliance Tracking\nSystem.\n\nThe CS IAM is responsible for checking VMS to determine who is not in compliance\nwith Information Assurance Vulnerability Management releases. The CS IAM notifies\nthe responsible site IAM or IAO of any concerns and assets that are not in compliance\nwithin seven working days of the compliance date. The status of compliance is briefed to\nthe Director of CS and primary staff on a weekly basis. The CS IAM also reviews\nrequests for extensions to compliance dates and recommends a concurrence or non-\nconcurrence to the approving authority, the DISA DAA. The FSO provides technical\nreviews for the CS IAM on request.\n\n        Security Automated Database. The Security Automated Database was created\nto track and remediate automated SRR self-assessment issues. The automated SRR\nprogram uses automated scripts developed by the FSO to conduct SRRs across the\nnetwork using Secure File Transfer Protocol. The FSO has SRR scripts for all Windows,\nUNIX, LINUX, Oracle Database, and Standard Query Language databases and is moving\ntoward running weekly SRRs on all servers, Oracle Databases, and Sequel Server\nDatabase by the end of 2005. Automated SRR scripts are limited in that they cannot\nperform the manual checks of the STIGs. Automated SRR scripts only test the\nconfiguration settings of the hardware and software associated with the IT. Operating\nsystems scripts are capable of checking most of the configuration settings while the\ndatabase scripts are capable of checking only approximately 35 percent of the\nconfiguration settings. The FSO and CS are working collectively on improving the SRR\nscripts and developing scripts for the other operating systems, the mainframe (IBM and\nUnisys) operating systems, and web software.\n\nThe security staff at the SMCs reviews and updates findings from the weekly automated\nSRR and monitors the remediation, especially any Category I and II findings. All\nCategory I findings are entered in the trouble ticket system, Trouble Ticketing\nManagement System, and flagged for immediate remediation. Site directors are briefed\non the results of the automated scripts on a weekly basis and the Director, CS and\nprimary CS staff are briefed on the results of the automated scripts on a monthly basis.\n\n\n\n5\n    Deputy Director, Chief of Staff, and the Division Chiefs for Business Management Center, Programs and\n    Implementation, Engineering and Architecture, Operations, and Logistics.\n6\n    Includes alerts, bulletins, and advisories.\n\n\n\n                                                    20\n\x0cInformation Assurance Monitoring\n\nIA monitoring occurs at the enclave perimeters as well as within systems, database, and\nweb software running within those systems. In addition to the external FSO reviews and\nthe internal CS reviews, CS networks are also subject to monitoring by the Global\nNetwork Security Center as part of the GIG monitoring and internal network monitoring.\n\nGIG Monitoring. There are network Intrusion Detection Systems (IDSs) located on the\nGIG that monitor standard security policy. The GIG network IDS, monitored by Global\nNetwork Security Center, is known as the Joint Intrusion Detection System. The Center\nmonitors all Joint Intrusion Detection Systems on the GIG within the continental United\nStates. There are various other centers located around the world and all centers feed into\na DoD Global Network Center Network Defense. This concept can identify any\ninformation threat on an isolated, regional, or global basis. The Global Network Security\nCenter notifies any element, to include CS, of any type of potential unauthorized attack\nor access. The Global Network Security Center works with the CS CCCs and individual\nsite IA staff to help identify, isolate, investigate, and remediate potential threats.\n\nCS Enclave Perimeter Monitoring. All CS enclave perimeters have a layered defense\nthat consists of an access control list on the perimeter router, firewalls, and a network\nIDS. The security staff located in the CCCs develops the security profiles for the enclave\nperimeter router, perimeter firewall and perimeter network IDSs and monitor their\nrespective reports and audit logs for unauthorized access or activities. This is for the\nentire continental United States-based CS network. The security staffs located at DECCs\nEurope and Pacific perform the same tasks locally for their respective enclave perimeter\ndevices. Suspected incidents are investigated in concert with trusted agents from the\ncustomer base or data owners to determine the legitimacy of the incidents. If the\nsuspected incident cannot be validated as authorized, they are reported to the Computing\nServices Cell within the DISA Network Operation Center and to the Global Network\nSecurity Center. The Global Network Security Center then directs all actions for this\nincident and closes it or turns it over to the appropriate investigative agency for action.\nThe Computing Service Cell reports the incident to Computing Services Issue Center,\nwithin the CS Operations Division.\n\nThe objective of layered defense is to provide a deny-by-default to the perimeter of the\nenclave. Deny-by-default can be defined as allowing those addresses, ports, protocols,\naccesses and actions that are authorized, while establishing a denial of those that are not\nauthorized.\n\nEnclave Monitoring. Security staff at the DECCs review system and database audit\nrecords weekly as a minimum for suspicious actions. They perform preliminary inquiries\nwith the customer, data owners, and others to determine the validity of suspicious\nactions. If an action cannot be validated, and identifies unauthorized privilege, or user-\nlevel action is identified, the action is reported to the Global Network Security Center\nand the CS Global Network Security Liaison Officer, within the CS Operations Division.\n\nSome of these sites also monitor the system and database audit reports using a host-based\nIDS. Validated unauthorized privilege or user accesses are reported up the same chain as\nthe other incidents. All security incidents reported to the Computing Service Issue\nCenter are briefed to the Director and Chief of Operations for CS every morning Monday\nthrough Friday.\n\n\n                                             21\n\x0cFSO Monitoring. The FSO conducts external vulnerability scanning twice a year for the\nNIPRNET and SIPRNET connections at all sites from Chambersburg. If the scan does\nnot penetrate or identify a weakness in the enclave perimeter, the scan is terminated. If\nthe scan does identify a weakness in the enclave perimeter, the scan continues to further\nidentify weaknesses. The results are entered into VMS and are briefed to the site director\nand senior staff.\n\nSegregation of Duties\n\nMainframes. In the mainframe environment, the IAO applies system security via the\naccess control program. For the Unisys mainframe, the access control program is a\nproduct known as SIMON. The IBM mainframe Access Control Program products are\nResource Access Control Facility, Access Control Facility 2, and Top Secret. The IAO\nalso monitors security audit records to identify security concerns.\n\nServers. The SAs implement security for server, operating systems, databases, and web\nservers and web-based applications; primarily UNIX, Windows, Solaris, and Tandem.\nThe IAO identifies each user\xe2\x80\x99s security profile, provides the SA with requirements, and\nthen validates that the profile has been implemented as prescribed. The IAO also\nmonitors security audit records to identify possible security concerns.\n\nPersonnel Controls\n\nAll civilian personnel are subject to Federal Civilian Personnel Systems. All personnel\nmust meet employment requirements and are subject to a favorable personnel security\ninvestigation. An authorization document, known as the Joint Table of Distribution\nauthorizes all government (civilian and military) positions. This document also identifies\nthe sensitivity, IT level, and security clearance requirement for each position. These\nthree elements determine the type of investigation required and the type and frequency of\nperiodic reinvestigations.\n\nAll personnel are subjected to various levels of personnel security investigation, which is\nbased on the level of privileges they have within systems. All personnel possess Secret\nclearance with IT-2 level, except for the SAs. The SAs are required to have Secret\nclearance with IT-1 level\n\nAll personnel security is managed and monitored by the CS SM in Chambersburg, in\nconcert with site SMs. The CS SM submits all personnel security actions through the\nDISA Security Office located at DISA Headquarters. The DISA Security Office issues\nrequests for additional information, intent to deny or revoke, and actual revocations of\nsecurity clearances or favorable investigations.\nEnvironmental Controls\n\nThe Facilities Engineering Branch, a CS Headquarters organization in Denver establishes\nfacility standards for the DECCs on electrical distribution, uninterrupted power supply,\nfire detection and fire suppression, and climate control in accordance with national\nstandards.\n\nElectrical Distribution. Each site has at least two electrical power feeds either from the\ninstallation or another commercial source. There are automatic voltage controls at all\ncomputing facilities and alerts of any potential electrical problems. There is a master\npower switch located at the primary entrances in all computer facilities.\n\n\n                                            22\n\x0cUninterrupted Power Supply. Each site has an uninterrupted power supply consisting\nof constantly charged batteries in case of power disruption. The uninterrupted power\nsupply is constantly monitored and alerts staff of any potential problem. Each site is also\nequipped with generators that provide an automatic start-up power source. Backup\npower sources are tested on a periodic basis to ensure that they function properly and\nprovide sufficient electrical power to meet site operating requirements. Additional fuel is\nstored on site for sustained backup operations. The fuel is tested on an annual basis for\ncontamination.\n\nFire Detection. Most administrative areas are protected by fire detection systems that\nalarm either locally or at a responding fire department. All computing facilities are\nprotected by automatic fire detection systems that alarm at the responding fire\ndepartment.\n\nFire Suppression. All administrative areas are protected by either automatic or manual\nfire suppression systems. All computing facilities are protected by automatic fire\ndetection systems (smoke or fire detectors) that respond to heat or smoke to suppress\nfires.\n\nFire prevention is an inherent responsibility of every CS employee and requires alertness\nand cooperation from all individuals and agencies that may be in the building. Each site\nfollows the facility emergency plan for the protection of all Government employees and\nprivate industry tenants.\n\nClimate Control. There are mechanical systems that provide the constant and desired\ntemperature, humidity, and air particles. The climate control system is constantly\nmonitored and alerts of any potential problems. Many of the computer facilities are\nequipped with water detection systems and a water drainage system to handle excess\nwater under the raised floor area.\n\nPhysical Security Controls\n\nAdministrative Areas. All buildings and administrative areas have limited entry points\nand all are protected by automated access card systems or by guards located at the\nentrances. In some case, both are used; guards protect the area during normal duty hours\nfrom Monday through Friday, and the automated access card system controls access\nduring all off-duty hours. All personnel must wear identification badges while in the\narea. Visitors to all sites must be signed into the administrative area and obtain local\nbadges that must be displayed while in the buildings. The issuance of an escort-required\nor a non-escort required visitor badge depends on the validation of visitor\xe2\x80\x99s investigation\ntype and security clearance.\n\nComputer Facility. All computer facilities have implemented the following physical\ncontrols.\n\n   \xe2\x80\xa2   Computer facilities have true floor-to-ceiling walls or alarms that dispatch a\n       response team.\n\n   \xe2\x80\xa2   Limited entrance and exit doors equipped with automated systems that require an\n       access card and personal identification number to gain entry.\n\n   \xe2\x80\xa2   Emergency exits are equipped with panic release bars that have a \xc2\xbd-inch deadbolt\n       throw. Emergency exits do not have external opening devices.\n\n\n                                            23\n\x0c   \xe2\x80\xa2   Doors and windows are equipped with intrusion detection systems that dispatch a\n       response team.\n\n   \xe2\x80\xa2   Doors are constructed of metal, solid wood, or glass. Door hinges are protected\n       from removal by set screws, pins, or spot welds.\n\n   \xe2\x80\xa2   Personnel authorized unescorted access are listed on access rosters.\n\n   \xe2\x80\xa2   Visitors are required to sign into and out of the facility; and those that do not\n       possess the required clearance must obtain unescorted badges and be escorted at\n       all times while in the facility.\n\n   \xe2\x80\xa2   Walls inside the building that are external to computing areas have signs posted\n       identifying the area as a \xe2\x80\x9cRestricted Area.\xe2\x80\x9d\n\nFacility Support Areas. Access to facility support areas is controlled either by fencing,\nautomated access control systems, or key locking devices. These areas are not\nconsidered \xe2\x80\x9cRestricted Areas.\xe2\x80\x9d Most of the facilities have closed circuit television\ncoverage of all doors to computer facilities, buildings, and facility support areas inside\nand outside of the buildings. A local guard monitors the cameras at some sites. Where\ncameras are not monitored, access is recorded and surveillance tapes are maintained for\nat least 30 days.\n\nInformation Security Controls\n\nOnly properly cleared personnel with a need-to-know are granted access to classified\ninformation. All classified paper documents are stored in General Services\nAdministration (GSA) approved security containers.\n\nCombinations to approved storage areas and security containers are restricted to only\nthose who need to gain access, and a DISA Form 190A identifies who holds the\ncombinations. The combination is treated as classified information and must be located\nin another security container. All security containers and approved storage areas must\nhave a Standard Form 702 on the outside and must be annotated with the initials of the\nperson opening the containers as well as the date and time the container was open and\nclosed. Security containers are to be inspected daily and annotated on the Standard Form\n702 to prevent security breach.\n\nAll classified transmissions that egress the perimeter router are encrypted using National\nSecurity Agency Type I encryption devices and keying material. In some cases,\ntransmissions inside the enclave are not encrypted but are required to be in an\nappropriate, protected distribution systems.\n\nThe Federal Information Processing Standards Publication 140-2 compliant encryption is\nused to protect the transmission of unclassified information, when required by the\ncustomer in the Service Level Agreement.\n\nAll computing areas that process classified information must be an approved classified\ninformation storage area or continuously be manned by properly cleared personnel who\ncan observe every device (computing and networking) processing classified information.\n\nUnless requested by the customer, all information stored on magnetic media is not\nencrypted. National Security Agency devices are used for classified information and\nFederal Information Processing Standards Publication 140-2 compliant devices are be\n\n                                            24\n\x0cused for unclassified information. All classified and unclassified information must be\ndestroyed using approved methods of destruction in accordance with DoD\nRegulation 5200.1-R.\n\nIndustrial Security Controls\n\nContracts must address security requirements. The contract should identify:\n\n     \xe2\x80\xa2   the requirement for IT level and the personnel security investigation;\n\n     \xe2\x80\xa2   the requirement for the contractor to provide visit request information for all\n         contractor personnel that need to visit a government location;\n\n     \xe2\x80\xa2   the requirement to comply with all security policies and procedures at\n         government locations;\n\n     \xe2\x80\xa2   the configuration requirement for contractor-provided equipment that will be\n         connected to government networks and enclaves, if no government-furnished\n         equipment is provided; and\n\n     \xe2\x80\xa2   the requirement for a DD Form 254, for contracts that require access to classified\n         information, that outlines the required level of security clearance, where classified\n         information can be accessed, and any special instructions.\n\n\nC.       Information and Communication\nInformation Systems Overview\n\nThe concept of operations for the CS emphasizes and describes a \xe2\x80\x9ccustomer focused\xe2\x80\x9d\nenvironment, organized with SMCs, OSTs, and production operations environments\ndesigned to provide a problem resolution and a situational awareness posture over all\ndomains of a dynamic production environment that is operational 24 hours a day, 7 days\na week, and 365 days a year.\nCS customer support demands include multiple classifications of secure environments,\nmulti-vendor UNIX environments, Intel-based server environments, IBM and Unisys\nmainframe environments, multiple commercial database environments, commercial\noff-the-shelf applications, government off-the-shelf applications, customized legacy\nsystems, web-based systems, voice-based systems including commercial telephone\nswitch support, private branch exchange support, and multiple communications\ninfrastructures. CS must have knowledge of the products, services, and applications used\nby its customer base, as well as information regarding the internal health of the CS IT\nenvironment to provide professional, knowledgeable, and proactive support.\nCommunication\n\nCS has implemented various methods of communications to ensure that all employees\nunderstand their individual roles and responsibilities. These methods include New\nEmployee Orientation, Individual Development Plan, CS Plan of the Week that\nsummarizes various significant events, and the use of electronic mail messages to\ncommunicate time-sensitive messages and information. The Director of CS holds a\n\n\n                                              25\n\x0cweekly staff meeting with all CS Division Chiefs. All site Chiefs also hold periodic staff\nmeetings as appropriate. Every employee within CS has a written position description,\nand every position description includes details of what responsibilities are required of the\nindividual.\n\nThe CS Business Management Center is responsible for Headquarters level customer\nrelations and acts as the face to the customer.\n\nEach operating site within CS maintains detailed records of problems reported by\ncustomer and problems or incidents noted during processing and monitor such items until\nthey are resolved. The CS Operations Division Network Operations is responsible for the\nup-channel reporting of operations incidents. Categories of incidents have been\nidentified as high impact, high visibility, or high interest requiring detailed reporting to a\ndefined chain of senior management. Specific information requirements have been\ndefined for the incident reports to help ensure completeness, accuracy, and\nunderstandability. Standard trouble tickets that provide the basic information must be\ncleansed to ensure that these informational requirements are met and consolidated into\nthe defined incident reporting format.\n\n\nD. Control Objectives and Related Control Activities\nCS control objectives and related controls are included in Section III of this report,\n\xe2\x80\x9cControl Objectives, Controls Activities, and Tests of Operating Effectiveness,\xe2\x80\x9d to\neliminate the redundancy that would result from listing them in this section and repeating\nthem in Section III. Although the control objectives and related controls are included in\nSection III, they are nevertheless, an integral part of CS control descriptions.\n\n\nE. User Control Considerations\nComputing Services User Controls\n\nCS and its customers share the controls over the users. This shared environment\nnormally is delineated between the computing environment and the applications.\n\nCS has established the following user controls for the computing environment.\n\n   \xe2\x80\xa2   Each user has individual user identification for all platforms.\n\n   \xe2\x80\xa2   Each user has individual user password authentication for open-system servers.\n\n   \xe2\x80\xa2   Each user has individual user identification, password, and secure-identification\n       for IBM mainframes.\n\n   \xe2\x80\xa2   All privileged users should use the client-based Virtual Private Network or the\n       Out-of-Band Network. Where there is an exception, privileged users must use\n       encryption-protected access method (i.e. Secure Socket Layer or Secured Shell)\n\n   \xe2\x80\xa2   All system access, by human or machine, requires DD Form 2875 (System\n       Authorization Access Request).\n\n\n                                             26\n\x0c   \xe2\x80\xa2   All users must acknowledge their responsibility for the user identifications and\n       passwords.\n\n   \xe2\x80\xa2   Each supervisor must acknowledge his subordinates\xe2\x80\x99 user requirement and IT\n       level.\n\n   \xe2\x80\xa2   The data owner or his designated representatives must acknowledge access for the\n       data user.\n\n   \xe2\x80\xa2   The SM must validate the user\xe2\x80\x99s security investigation and security clearance.\n\n   \xe2\x80\xa2   Each user must attend initial and periodic IA awareness training.\n\n   \xe2\x80\xa2   The SAs have passed the required security certification testing as a Level I, II or\n       III as appropriate.\n\n   \xe2\x80\xa2   The user systems will time out after 15 minutes if not in use.\n\n   \xe2\x80\xa2   Lock-out of user identification and password after three incorrect log-on attempts.\n\nCustomer User Controls\n\nCustomers are expected to have the following general user controls, at a minimum, built\ninto their applications. The specific user controls are outlined in the Service Level\nAgreements.\n\n   \xe2\x80\xa2   Individual user identification.\n\n   \xe2\x80\xa2   Individual user password or Public Key Infrastructure authentication.\n\nService Level Agreements\n\nA service level agreement is a contract between a service agency and a customer agency\nthat defines the parameters of the services. The Service Level Agreement defines the\nservices to be delivered, problem management, and customer duties and responsibilities.\nThe Service Level Agreements outline, at a minimum, the responsibilities over system\naccess, security controls, data disposition and sharing, data encryption, and data backup\nfor both CS and the customers.\n\n\n\n\n                                            27\n\x0c\x0cSection III: Control Objectives, Control Activities, and Tests of\n                    Operating Effectiveness\n\n\n\n\n                               29\n\x0c\x0cEntity-wide Security Program\nControl Techniques                            Test of Operating Effectiveness                Results of Tests of Operating\n(Related Controls Placed in Operation)                                                       Effectiveness\nControl Objective:\nSP-1: Controls provide reasonable assurance that security risks are periodically assessed.\n\nPeriodically assess security risks against\nfederal requirements.\n\nA formal risk assessment is developed for     Inspected policies and procedures for          Risk assessments at two out of six sites did\neach site and conducted once every 3 years.   performing risk assessments and determined     not conform to the FSO Risk Analysis\nFormal risk assessments are updated           these policies and procedures were in place.   Guide.\nannually based on annual reviews. The         Inquired of CS personnel to determine\nresults of the traditional SRRs, technical    whether the policies and procedures were\nSRRs, Internet Security Scans, Information    being followed. Inspected the most recent\nAssurance Vulnerability Management, and       risk assessments to determine whether they\nthe effectiveness of implemented              were performed in accordance with the\ncountermeasures are used to determine the     policies and were approved by\nresidual risk.                                management.\n\nFinal risk determinations and related         Inquired of the objectivity of the personnel   No relevant exceptions noted.\nmanagement approvals are documented and       who performed the risk assessments to\nmaintained on file.                           determine they were independent of the\n                                              systems that were reviewed.\n\n\n\n\n                                                                 31\n\x0cControl Techniques                            Test of Operating Effectiveness                 Results of Tests of Operating\n(Related Controls Placed in Operation)                                                        Effectiveness\nControl Objective:\nSP-2: Controls provide reasonable assurance that an entity-wide security program plan is documented, approved, and kept\ncurrent.\n\nA security plan is documented and\napproved.\n\nThe security plan is documented and           Inspected site security plans to determine      One out of six sites did not have a current\naddresses topics prescribed in OMB            whether the following had been addressed:       security plan that was documented and\nCircular A-130, Security of Federal           \xe2\x80\xa2 management review of the plan on a            approved.\nAutomated Information Resources. The              regular basis, at least annually, to\nsecurity plan is validated for completeness       evaluate existing policies and processes\nand applicability during the FSO\xe2\x80\x99s                and to provide consistency and support\nTraditional SRR.                                  for the goal of uninterrupted operations;\n                                              \xe2\x80\xa2 management\xe2\x80\x99s approval of the security\nThe SMCs security plan is developed by the        plan in writing; and\nsite SM or IAM and signed by the senior       \xe2\x80\xa2 guidance related to security plans for\nofficial on site.                                 general support systems, as outlined in\n                                                  OMB Circular No. A-130 Appendix III.\nThe security plan is kept current.\n\nThe security plan is reviewed annually and    Inspected the security plan to evaluate:        For two out of six sites, the security plans\nupdated annually or as necessary.             \xe2\x80\xa2 factors that caused the plan to be            did not incorporate current guidance\n                                                  updated;                                    provided by DoD Instruction 8500.2 and\n                                              \xe2\x80\xa2 plan was current;                             OMB Circular A-130 Appendix III.\n                                              \xe2\x80\xa2 supporting documentation existed for\n                                                  any changes during the last year;\n                                              \xe2\x80\xa2 documentation existed to depict how\n                                                  systems and applications were\n                                                  interconnected, including connection\n                                                  rules and requirements;\n                                              \xe2\x80\xa2 documentation existed to sufficiently\n                                                  assess the impacts of any changes made;\n                                                  and\n\n                                                                32\n\x0cControl Techniques                             Test of Operating Effectiveness                 Results of Tests of Operating\n(Related Controls Placed in Operation)                                                         Effectiveness\n                                               \xe2\x80\xa2   plans covered the current topics outlined\n                                                   in OMB Circular A-130 Appendix III,\n                                                   and DoD Instruction 8500.2.\nControl Objective:\nSP-3: Controls provide reasonable assurance that a security management structure is established and security responsibilities\nare clearly assigned.\n\nA security management structure has\nbeen established.\n\nThe CS Security Handbook defines the           Inquired of CS management to determine          No relevant exceptions noted.\nresponsibilities of individuals who comprise   whether:\nthe security management staff.                    \xe2\x80\xa2 a security staff was designated for\n                                                      each site; and\n                                                  \xe2\x80\xa2 clear assignments of information\n                                                      security responsibilities that\n                                                      addressed information security\n                                                      roles, training, and security\n                                                      clearances existed.\nInformation security responsibilities are\nclearly assigned.\n\nThe roles and responsibilities of the IAM,     Inquired of CS management whether               No relevant exceptions noted.\nIAO, and SM are outlined in appointment        security responsibilities had been clearly\norders.                                        assigned to the following:\n                                               \xe2\x80\xa2 information resource owners and users,\n                                               \xe2\x80\xa2 information resources management and\n                                                   data processing personnel,\n                                               \xe2\x80\xa2 senior management, and\n                                               \xe2\x80\xa2 security administrators.\n\n\n\n\n                                                                 33\n\x0cControl Techniques                              Test of Operating Effectiveness                Results of Tests of Operating\n(Related Controls Placed in Operation)                                                         Effectiveness\nOwners and users are aware of security\npolicies.\n\nCS personnel must take security awareness       Inquired of CS management about the            Three out of six sites did not have an\ntraining, workplace violence training, and      existence of an ongoing security awareness     effective security awareness program that\nantiterrorism training before gaining access    program for current employees and an           provided guidance to users regarding the\nto any system. Initial security awareness       introductory program for new employees.        importance of security.\ntraining is provided to all users. Training\ncompletion is recorded.\n\nPosters are utilized throughout the CS          Inspected other means used by CS to            No relevant exceptions noted.\nfacilities to increase security awareness on    promote security awareness.\nvarious security-related topics, such as\nviruses, freeware or shareware, and unique\npasswords.\n\nCS employees are required to sign               Inspected employees\xe2\x80\x99 non-disclosure            Two out of six sites did not have effective\nnon-disclosure agreement forms to evidence      agreement forms to evidence their              procedures implemented to determine that\ntheir understanding and acceptance of           understanding and acceptance of                employees and contractors complete a\nconfidential information disclosure             confidential information disclosure            non-disclosure agreement form to evidence\nrestrictions and requirements.                  restrictions and requirements.                 their understanding and acceptance of\n                                                                                               confidential information disclosure\n                                                                                               restrictions and requirements.\nAn incident response capability has been\nfully implemented.\n\nThe CS Security Handbook provides               Inquired of site personnel regarding their     Personnel at four out of six sites were not\nguidance on handling incidents, incident        familiarity with their specific                familiar with their responsibilities for\nreporting structure, and prioritization of      responsibilities for intrusion detection and   intrusion detection and incident response.\nincidents that are consistent with attributes   incident response.\nsuggested by DoD Instruction 8500.2.\n\n\n\n\n                                                                   34\n\x0cControl Techniques                               Test of Operating Effectiveness                Results of Tests of Operating\n(Related Controls Placed in Operation)                                                          Effectiveness\nControl Objective:\nSP-4: Controls provide reasonable assurance that effective security-related personnel policies have been implemented.\n\nHiring, transfer, termination, and\nperformance policies address security.\n\nThe CS Security Handbook prescribes              Inspected the hiring policies and procedures   No relevant exceptions noted.\nguidelines addressing personnel security         for employees and for contractors, including\ncontrols and position sensitivity designations   reviewing the process for performing\nfor employees and contractors, documenting       background investigations and contacting\nand updating designations, investigation and     references for new hires.\nreinvestigation requirements, adjudication,\nclearance procedures, and termination\nprocessing.\n\nPersonnel security checks to determine that a    Inspected policies and procedures in place     No relevant exceptions noted.\nvalid and current personnel security             for performing reinvestigations of current\ninvestigation has been conducted for each        employees and contractors.\nperson at the site based on the individual\xe2\x80\x99s\nduties and tasks.\n\nTermination requires debriefing and              Inspected CS policies and procedures in        Three out of five sites did not implement\nrevoking of all access. Termination              place for individuals departing CS, or where   formal policies for debriefing and\ndebriefing must be signed and maintained.        systems access was no longer required.         removing all access.\n\nEmployees have adequate training and\nexpertise.\n\nTraining and certification requirements for      Inquired of CS management whether              Personnel at three out of five sites did not\nusers and SAs are established by DoD and         employees were receiving appropriate           receive appropriate training to perform\nDISA policies.                                   training and had the necessary skills to       their duties.\n                                                 perform assigned job functions.\n\n\n                                                                    35\n\x0cControl Techniques                             Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                       Effectiveness\nThe CS Security Handbook outlines several      Inspected documentation regarding training    Three out of five sites did not document\ndifferent certification courses that SAs and   programs to determine whether employee        employee training and professional\nsecurity management should take depending      training and professional development         development activities.\non the designated level                        activities were documented and monitored.\n\nControl objective:\nSP-5: Controls provide reasonable assurance that security program effectiveness is monitored and changes are made as needed.\nManagement periodically assesses the\nappropriateness of security policies and\ncompliance with them and ensures that\ncorrective actions are effectively\nimplemented.\nThe FSO performs SRRs as a part of its IA      Inquired of CS management whether a           No relevant exceptions noted.\nreview and certification and accreditation     comprehensive vulnerability management\nprocess. The FSO also conduct annual           process was in place to address:\nreviews to assess the appropriateness of the      \xe2\x80\xa2 systematic identification and\nsecurity policies and compliance with them.           mitigation of software and hardware\nCS and FSO have visibility over all                   vulnerabilities,\nidentified vulnerabilities.                       \xe2\x80\xa2 independent validation of mitigation\n                                                      through inspection and automated\n                                                      vulnerability assessment,\n                                                  \xe2\x80\xa2 acquisition of vulnerability\n                                                      assessment tools, and\n                                                  \xe2\x80\xa2 deployment of trained personnel.\n\nAutomated scripts are performed on a           Inquired of CS management whether             No relevant exceptions noted.\nweekly basis for servers at the four main      regular internal and external assessments\nSMCs. The sites also perform vulnerability     were conducted.\nassessments.\n\nNew systems are reviewed for compliance        Inspected whether new systems and major       For one out of five sites, new systems and\nwith DoD and STIG policy prior to              upgrades were tested prior to connection to   major upgrades were not fully tested and\nconnection to the network.                     the network and authorized.                   authorized prior to connection to the\n                                                                                             network.\n                                                                 36\n\x0cAccess Control\nControl Techniques                                 Test of Operating Effectiveness                Results of Tests of Operating\n(Related Controls Placed in Operation)                                                            Effectiveness\nControl Objective:\nAC-1: Controls provide reasonable assurance that information resources are classified according to their criticality and\nsensitivity.\n\nResource classifications and related\ncriteria have been established.\n\nCS has defined the criticality of its assets       Inspected the policies and procedures that     No relevant exceptions noted.\nand the policies to the MAC II sensitive           CS used to develop and establish data and\nlevel.                                             resource classification rankings for\n                                                   adequacy and effectiveness.\nOwners have classified resources.\n\nCS has classified the criticality of its assets.   Inquired whether assets had been classified,   No relevant exceptions noted.\n                                                   and the classifications were documented\n                                                   and current.\n\nCS customers communicate classification            Inquired of site IAMs how customers            No relevant exceptions noted.\nlevels to CS for their applications.               communicated classification levels for their\n                                                   application that were in accordance with\n                                                   the specific risk assessment results.\n\n\n\n\n                                                                      37\n\x0cControl Techniques                             Test of Operating Effectiveness                Results of Tests of Operating\n(Related Controls Placed in Operation)                                                        Effectiveness\nControl Objective:\nAC-2: Controls provide reasonable assurance that a current list of authorized users and their respective access rights are\nmaintained.\n\nDesign Weakness:\nCS does not have control procedures in place to ensure resource owners have identified authorized users and their respective access\nrights. Specifically, control procedures are needed to ensure the following: (a) access rights associated with role-based user accounts are\nfully established across CS, and (b) account maintenance practices and procedures have been fully implemented across CS platforms.\n\nResource owners have identified\nauthorized users and their authorized\naccess rights.\n\nThe CS Security Handbook details the           Inspected procedures that CS followed to       No relevant exceptions noted.\nprocess for granting access to system          grant access to its systems.\nresources.\n\nSystem access is role-based, which depends     Inspected access rights associated with user   Refer to the design weakness noted above,\non tasks and functions.                        accounts to determine if they had been         item (a).\n                                               established in accordance with a role-based\n                                               access scheme that organizes system and\n                                               network access rights into roles.\n\nIAM maintains a list of all approved           Inquired of management to determine that       IAM at four out of six sites did not track\nprivileged users for operating systems,        sites have IAMs, and determined whether        privileged role assignments.\nnetworks, databases, and web                   the IAMs track privileged role assignments.\nadministrators. This includes those\nprivileged users within or outside of CS.      Inspected policies and procedures for          No relevant exceptions noted.\n                                               granting operating system access, including\n                                               required approval by information owners.\n\nEach user identification issued is evidenced   Inquired to determine whether a                Refer to the design weakness noted above,\nby a DD Form 2875 (or its predecessor          comprehensive account management               item (b).\nDISA Form 41) or a local form that has         process existed to:\nincorporated all the requirements of the DD       \xe2\x80\xa2 allow only authorized users to gain\n\n                                                                   38\n\x0cControl Techniques                          Test of Operating Effectiveness                Results of Tests of Operating\n(Related Controls Placed in Operation)                                                     Effectiveness\nForm 2875. DD Form 2875, System                    access to workstations, applications,\nAccess Authorization Request, requires             and networks; and\napproval from the user\xe2\x80\x99s supervisor, data      \xe2\x80\xa2   deactivate individual accounts\nowner, and validation of user personnel            designated as deactivated,\nsecurity investigation based on access             suspended, or terminated.\nrequested.\n\n                                            Inquired of management regarding the           No relevant exceptions noted.\n                                            process to determine that access\n                                            authorizations were in accordance with\n                                            DoD personnel security policies and\n                                            security criteria (i.e. background\n                                            investigation requirements outlined in DoD\n                                            Regulation 5200.2-R).\n\nPeriodic revalidation of system users is    Inquired whether information assurance         Four out of five sites had no processes for\nconducted to identify accounts and user     managers were performing periodic              conducting periodic revalidations of system\naccesses that are no longer needed.         revalidations of system users.                 users.\nEmergency and temporary access\nauthorization is controlled.\n\nEmergency and temporary access              Inquired whether CS had established            One out of six sites did not have policies\nauthorizations are:                         policies and procedures for the creation and   and procedures in place for the creation and\n                                            maintenance of emergency and temporary         maintenance of emergency IDs.\n   \xe2\x80\xa2   documented and maintained on file,   access to CS owned or administered\n   \xe2\x80\xa2   approved by appropriate              systems.\n       management,\n   \xe2\x80\xa2   securely communicated to the IAM,    Inspected a listing of emergency and           Two out of six sites did not maintain a\n       and                                  temporary user access requests to determine    record of emergency and temporary user\n   \xe2\x80\xa2   terminated after a predetermined     whether:                                       access requests.\n       period.                                  \xe2\x80\xa2 a record of such access was\n                                                   maintained,\n                                                \xe2\x80\xa2 management approved the access,\n\n\n                                                               39\n\x0cControl Techniques                             Test of Operating Effectiveness                  Results of Tests of Operating\n(Related Controls Placed in Operation)                                                          Effectiveness\n                                                       and\n                                                   \xe2\x80\xa2   access was terminated in a specific\n                                                       period of time.\n\n\nOwners determine disposition and\nsharing of data.\n\nThe Support Agreement portion of the           Determine whether Service Level                  No relevant exceptions noted.\nService Level Agreements defines the data      Agreements addressed file sharing and IA\ndisposition and data sharing process.          roles and responsibilities for the acquisition\n                                               or outsourcing of IT services.\nControl Objective:\nAC-3: Controls provide reasonable assurance that physical and logical controls to prevent or detect unauthorized access are\nfully established and access to and use of system software is monitored.\n\nDesign Weakness:\nCS does not completely have DoD required logical control procedures in place to fully ensure passwords, tokens, or other devices are\nused to identify and authenticate users; access paths are identified and access authorizations are appropriately limited; policies and\ntechniques have been implemented for using and monitoring the use of system utilities, as well as for investigating and resolving\ninappropriate or unusual activity; telecommunications are secured; and cryptographic tools are used in a secure fashion. Specifically,\ncontrol procedures are needed to ensure the following: (a) all relevant password policies and procedures are fully implemented at CS\nsites; (b) password settings are fully in compliance with the CS policies; (c) vendor supplied passwords are always removed or controlled\nonce software has been installed; (d) SAs\xe2\x80\x99 access is consistent with the controls required by DoD over IA; (e) permissions to access\ndevices, directories, files and registry settings have been fully established to comply with the STIGs; (f) operating system parameters are\nconfigured to maintain integrity of the security software and application controls; (g) system software monitoring utilities are installed;\n(h) system software information is logged and reviewed; (i) policies and procedures have been fully established to control and monitor\ninternal and remote access; (j) configuration and security settings are fully in compliance with STIGs for network devices; (k) warning\nbanners are displayed across all platforms hosted by CS; (l) policies and procedures are fully implemented for the use of cryptographic\ntools; and (m) devices are subject to an approved communications encryption method to perform remote management and file transfers.\n\n\n\n\n                                                                   40\n\x0cControl Techniques                              Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                        Effectiveness\nPhysical safeguards have been\nestablished that are commensurate with\nthe risks of physical damage or access.\n\nPhysical safeguard procedures include:          Inquired of guards at the check-in stations   No relevant exceptions noted.\n   \xe2\x80\xa2 controlled access and controlled           to understand the process for granting\n       perimeters for CS facilities located     physical access.\n       on military or GSA installations;\n   \xe2\x80\xa2 verification of DoD identification,\n       such as a Common Access Card or\n       DISA badge, by the guards for\n       everyone entering the site;\n   \xe2\x80\xa2 enclosed perimeter, by a fence that\n       controls vehicle and pedestrian\n       access, for CS facilities not located\n       on military or GSA installation;\n   \xe2\x80\xa2 routine patrol and random door\n       checks performed by the local\n       military, DoD, or GSA guards; and\n   \xe2\x80\xa2 controlled access to the\n       administrative areas by a guard,\n       mechanical cipher, or automated\n       access control system.\n\nComputer facilities have at least two levels    Inspected the site and the computer room to   One out of sixteen sites did not fully\nof physical security controls for               determine the physical security controls      implement physical security controls over\nsafeguarding. Access to the computer            over physical layout of the data center and   the computer facility.\nfacility requires something that the            computer room.\nemployee has (i.e. picture identification\ncard) and something that the employee\nknows (i.e. access code). Employees must\nwear their picture identification cards above\nthe waist.\n\n\n                                                                    41\n\x0cControl Techniques                              Test of Operating Effectiveness                 Results of Tests of Operating\n(Related Controls Placed in Operation)                                                          Effectiveness\nThe computer facility has:                      Inspected access restrictions to the            Eight out of sixteen sites did not fully\n   \xe2\x80\xa2 true floor-to-ceiling walls,               computer room to determine the existence        implement access restrictions to the\n   \xe2\x80\xa2 solid entrance doors,                      of:                                             computer room.\n   \xe2\x80\xa2 doors with hinges that prevent easy            \xe2\x80\xa2 true floor-to-ceiling walls,\n       removal,                                     \xe2\x80\xa2 solid entrance doors,\n   \xe2\x80\xa2 emergency doors free of devices on             \xe2\x80\xa2 doors with hinges that prevent easy\n       the outside and equipped with a                 removal,\n       panic bar release on the inside and a        \xe2\x80\xa2 emergency doors that were free of\n       \xc2\xbd inch deadbolt throw, and                      devices on the outside and equipped\n   \xe2\x80\xa2 doors with balanced magnetic                      with a panic bar release on the\n       switches.                                       inside and a \xc2\xbd inch deadbolt throw,\n                                                    \xe2\x80\xa2 doors with balanced magnetic\n                                                       switches, and\n                                                    \xe2\x80\xa2 a process to control keys.\n\nAll CS site SMs must maintain and post an       Inspected a list of individuals having access   Thirteen out of sixteen sites did not restrict\nauthorized access list inside of the            to the sensitive areas to determine their       access to sensitive areas to unauthorized\ncomputing facilities. Changes to the            authorizations.                                 individuals. However, access to CS\nauthorized access list can be made in pen                                                       facilities located on military or GSA\nand initialed by the SMs. The authorized                                                        installations was controlled by local\naccess list must be updated on an annual                                                        military, DoD, or GSA police who\nbasis.                                                                                          performed routine patrols and random door\n                                                                                                checks.\nVisitors are controlled.\n\nAll visitors have a visit authorization         Inspected procedures for handling visitors      No relevant exceptions noted.\nrequest on file with the site SM.               to determine whether they:\n                                                    \xe2\x80\xa2 were required to be escorted, and\n                                                    \xe2\x80\xa2 had been cleared by the sponsor and\n                                                        security.\n\nVisitors to the computing facilities that are   Inquired to determine if there were             Eleven out of sixteen sites did not fully\nnot on the authorized access list must be       procedures in place to control visitor access   implement procedures to control visitor\nsigned in and out of the facility.              to the computer room.                           access to the computer room. However, all\n                                                                                                visitors who are not on the authorized\n\n                                                                    42\n\x0cControl Techniques                             Test of Operating Effectiveness            Results of Tests of Operating\n(Related Controls Placed in Operation)                                                    Effectiveness\nCS personnel who do not have the                                                          access list are signed in and out of the\nappropriate security investigation or                                                     facility by guards who check identification.\nclearance and all non-CS personnel will be\nescorted at all times while in the computing\nfacility.\n\nEntry codes are periodically changed.          Inspected policies for changing access     Eleven out of fourteen sites did not fully\n                                               codes (cipher locks) and obtained          implement procedures for changing access\n                                               supporting documentation for these         codes.\n                                               changes.\nPasswords, tokens, or other devices are\nused to identify and authenticate users.\n\nPassword configuration requirements:           Inspected CS password policies to          Refer to the design weakness noted above,\n   \xe2\x80\xa2 Minimum of 8 characters,                  determine whether these policies and       item (a).\n   \xe2\x80\xa2 One lower-case character,                 procedures met Federal, DoD, and DISA\n   \xe2\x80\xa2 One upper-case character,                 requirements.\n   \xe2\x80\xa2 One number, and\n   \xe2\x80\xa2 One special character.                    Inspected password settings to determine   Refer to the design weakness noted above,\nAdditionally,                                  compliance with the policies.              item (b).\n   \xe2\x80\xa2 Passwords changed every 90 days.\n   \xe2\x80\xa2 Password can only be changed once\n       within 24 hours.\n   \xe2\x80\xa2 Password cannot be reused for\n       10 cycles.\n   \xe2\x80\xa2 Password cannot reuse any\n       character more than once.\n   \xe2\x80\xa2 Passwords are encrypted in storage.\n\nVendor-supplied default logons and             Inspected whether CS determines that all   Refer to the design weakness noted above,\npasswords are disabled.                        vendor supplied passwords were removed     item (c).\n                                               or controlled once the software has been\n                                               installed.\n\n\n                                                                  43\n\x0cControl Techniques                             Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                       Effectiveness\nPasswords are subjected to software attacks    Inquired whether passwords were checked       No relevant exceptions noted.\nas part of Internet Security Scanner scan      as part of the SRR process.\nand SRRs. Passwords are checked as part\nof the SRRs and self-assessments. Servers      Inspected whether passwords scanning          For 16 of 49 Unix devices, the weekly\nmanaged by the SMCs are being checked          tools were being executed on a weekly         password scan was disabled.\non a weekly basis with the automated           basis.\nscripts.\nAccess paths are identified and access\nauthorizations appropriately limited.\n\nAccess paths are identified within the         Inspected the topography diagram to          No relevant exceptions noted.\ncommunications topography for each CS          determine whether an analysis of the logical\nsite. The communication topography             access paths was performed whenever\nshows connections from the wide area           changes were made to CS owned or\nnetwork into the perimeter point of            administered systems.\npresence down to the individual Internet\nProtocol addresses of all devices within the   Inspected to determine SAs\xe2\x80\x99:                  Refer to the design weakness noted above,\nenclave.                                       \xe2\x80\xa2 access granted met DoD IA controls;         item (d).\n                                               \xe2\x80\xa2 access was consistent with their job\nSystem software is configured in                   responsibilities;\naccordance with the STIGs.                     \xe2\x80\xa2 accounts designated as inactive,\n                                                   suspended, or terminated had been\nAccess to data files, software programs and        promptly deactivated;\ndatabases is controlled by the configuration   \xe2\x80\xa2 access was reviewed frequently;\nsetting as described in the STIGs.             \xe2\x80\xa2 access was supported by a completed\n                                                   System Access Authorization Request\nNetwork diagrams are developed and                 on file; and\nmaintained to show potential access paths.     \xe2\x80\xa2 access was granted based on\n                                                   least-privilege access at the operating\nThe operating system and communications            system level.\nsoftware are configured to prevent\ncircumvention of security software controls    Also, inspected access to platforms by\nand unauthorized access from all paths.        attempting to gain access to the operating\n                                               system and other system components.\n\n\n                                                                   44\n\x0cControl Techniques                              Test of Operating Effectiveness                Results of Tests of Operating\n(Related Controls Placed in Operation)                                                         Effectiveness\n                                                Inspected configuration settings to            Refer to the design weakness noted above,\n                                                determine whether access to the data files     item (e).\n                                                and software programs was in compliance\n                                                with the STIGs.\n\n                                                Inspected the operating system parameters      Refer to the design weakness noted above,\n                                                to determine whether configurations:           item (f).\n                                                    \xe2\x80\xa2 maintain the integrity of the security\n                                                        software and application controls;\n                                                        and\n                                                    \xe2\x80\xa2 allow access via approved paths to\n                                                        the operating system, kernel, system\n                                                        security software, and when\n                                                        applicable, application software.\nPolicies and techniques have been\nimplemented for using and monitoring\nuse of system utilities and inappropriate\nor unusual activity is investigated and\nappropriate actions taken.\n\nProcedures are in place for monitoring,         Inspected policies and procedures              No relevant exceptions noted.\ninvestigating and reporting inappropriate or    pertaining to monitoring, investigating, and\nunusual activity. The STIG outlines what        reporting inappropriate and unusual\nactivity is to be monitored and, within these   activities on the use of system software\nguidelines, local policy determines the         utilities.\nthresholds for what is considered\ninappropriate or unusual activities.\n\nSystem utilities are installed in accordance    Inspected whether system utilities, intended   Refer to the design weakness noted above,\nwith policies and procedures for proper use     for monitoring inappropriate or unusual        item (g).\nof system utilities. These are documented       activity, were installed.\nin the STIGs, vendor documentation, and\napplicable users\xe2\x80\x99 manuals. Each site is\n\n\n                                                                    45\n\x0cControl Techniques                             Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                       Effectiveness\nresponsible for implementing these\nguidelines.\n\nThe use of sensitive system utilities is       Inspected the type of information being       Refer to the design weakness noted above,\nlogged and inappropriate or unusual            logged, the frequency of review and           item (h).\nactivity is investigated.                      backup, and the sufficiency of data\n                                               collected to detect operational or security\n                                               abnormalities.\nTelecommunications are secured.\n\nTelecommunications access is controlled        Inspected policies and procedures that had    Refer to the design weakness noted above,\nby the managing CCC for the network            been established to control and monitor       item (i).\ndevices, to include firewall and network       internal and remote access.\nIDSs, at all sites within continental United\nStates for unclassified wide area network.\nFor each site that had not yet                 Inspected settings for network devices to     Refer to the design weakness noted above,\n\xe2\x80\x9ctransformed,\xe2\x80\x9d the sites are responsible for   determine compliance with the STIGs.          item (j).\nthe network devices. For those networks\nthat have been transformed, only CCC           Inspected the warning banner when             Refer to the design weakness noted above,\npersonnel have access to those networks        individuals log on to their computers and     item (k).\nthrough the out-of-band virtual private        access the local area network or wide area\nnetwork tunnel.                                network to determine whether all users\n                                               were warned that they were entering a\n                                               government information system, and were\n                                               provided with appropriate privacy and\n                                               security notices.\n\n\nDial-in telephone numbers are not              Inquired if remote access numbers were        No relevant exceptions noted.\npublished and are periodically changed.        changed periodically and not published in\n                                               CS phone lists.\n\n\n\n\n                                                                   46\n\x0cControl Techniques                            Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                      Effectiveness\nCryptographic tools are used in a secure\nfashion.\n\nWhen required by the customer, the Federal    Inspected policies and procedures outlining   Refer to the design weakness noted above,\nInformation Publication Standards 140-2       the use of cryptographic tools to encrypt     item (l).\ncompliant encryption is used for encryption   stored sensitive information.\nof unclassified information.\n\nEncryption tools such as Virtual Private      Inspected devices to determine whether        Refer to the design weakness noted above,\nNetwork, Secure Socket Layer, Secure          approved cryptography was used to encrypt     item (m).\nShell, and Public Key Infrastructure are      stored sensitive information and inspected\nused where the data or the transmission of    whether information in transit through a\ndata needs to be protected.                   network was using approved cryptography\n                                              when required.\nSanitation of equipment and media prior\nto disposal or reuse.\n\nSanitation of equipment and media prior to    Inspected CS policies and procedures, and     Two out of six sites did not fully comply\ndisposal or reuse are performed in            related documentation supporting the          with policies and procedures for sanitation\naccordance with DoD Regulation 5200.1-R,      sanitation of equipment and media.            of equipment.\nCS Security Handbook, and the Assistant\nSecretary of Defense (Command, Control,\nCommunications, and Intelligence)\nMemorandum, "Disposition of Unclassified\nDoD Computer Hard Drives," dated June 4,\n2001.\n\n\n\n\n                                                                 47\n\x0cControl Techniques                               Test of Operating Effectiveness              Results of Tests of Operating\n(Related Controls Placed in Operation)                                                        Effectiveness\nControl Objective:\nAC-4: Controls provide reasonable assurance that access is monitored, apparent security violations are investigated, and\nappropriate remedial action is taken.\n\nDesign Weakness:\nCS does not have control procedures in place to fully ensure audit trails are maintained and actual or attempted unauthorized, unusual, or\nsensitive access is monitored. Specifically, control procedures are needed to ensure the following: (a) audit trails are monitored across\nall CS sites, and (b) devices have host-based intrusion detection systems fully deployed or implemented across CS sites.\n\nAudit trails are maintained.\n\nSTIGs define audit trail requirements.           Inspected the audit trail monitoring,        Refer to the design weakness noted above,\n                                                 analysis, and reporting processes to         item (a).\nFor mainframe computers, three access            determine that an automated audit trail\nprograms (Resource Access Control                capability is in place.\nFacility, Access Control Facility 2, and Top\nSecret) have the ability to conduct full audit\nand record audit records. The access\nprogram for Unisys mainframe also can\nconduct and record full audit records.\nFor mid-tier systems, databases and\nweb-based applications, audit capability is\nimplemented if it does not impact\nperformance and system storage devices\noverloads.\n\nAudit records are maintained for 1 year.         Inquired of IAMs to determine whether        Three of four sites did not have procedures\n                                                 they retained backups of audit records for   to retain backups of audit records for one\n                                                 one year.                                    year.\n\n\n\n\n                                                                     48\n\x0cControl Techniques                            Test of Operating Effectiveness              Results of Tests of Operating\n(Related Controls Placed in Operation)                                                     Effectiveness\nActual or attempted unauthorized,\nunusual, or sensitive access is monitored.\n\nSuspicious access activity is investigated    Inspected reports generated to track         Three out of six sites did not fully comply\nand appropriate action taken. The security    security violations on CS owned or           with policies and procedures for handling\nstaffs located in the SMCs, ISCs and CCCs     administered systems to determine how        security violations on CS owned or\nmonitor their respective reports and audit    questionable violations were documented      administered systems.\nlogs for unauthorized access or activities.   and handled.\nSuspected incidents are investigated in\nconcert with trusted agents from the          Inspected network and host-based intrusion   Refer to the design weakness noted above,\ncustomer base or data owners to determine     detection systems to determine they were     item (b).\nthe legitimacy of the incidents. If the       deployed where required.\nsuspected incident cannot be validated as\nauthorized, they are reported to the\nComputing Services Cell within the DISA\nNetwork Operation Center and to the\nGlobal Network Security Center.\n\n\n\n\n                                                                 49\n\x0cSoftware Development and Change Control\nControl Techniques                            Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                      Effectiveness\nControl Objective:\nCC-1: Controls provide reasonable assurance that processing features and program modifications are properly authorized.\n\nAuthorizations for software modifications\nare documented and maintained.\n\nConfiguration Control Board has been          Inquired of management the configuration      One of out six sites did not fully\nestablished to manage the configuration       management process to determine whether       implement configuration management\nmanagement process. The Configuration         the configuration management process          procedures.\nControl Board has the authority to approve    addresses:\nor disapprove proposed changes to hardware,   \xe2\x80\xa2 documentation of configuration\noperating system, utility software,               management roles and responsibilities,\ncommunications, and networks brought          \xe2\x80\xa2 the establishment of a Configuration\nabout by proposed application software            Control Board,\nchanges.                                      \xe2\x80\xa2 a testing process to verify changes\n                                                  prior to implementation, and\n                                              \xe2\x80\xa2 a verification process to provide\n                                                  assurance that the configuration\n                                                  management process was working\n                                                  effectively.\n\n                                              Inspected changes to applications or          Six out of six sites did not always\n                                              system software (updates or modifications)    document configuration change requests,\n                                              made for which CS had change control-         including authorizations.\n                                              related responsibilities to determine\n                                              whether the changes were properly\n                                              authorized and documented.\nUse of public domain and personal\nsoftware is restricted.\n\nCS management has implemented policy that     Inquired of management regarding the          One out of five sites did not fully\nprohibits the usage of personal software on   policies and procedures restricting the use   implement policies and procedures\n                                                                50\n\x0cControl Techniques                               Test of Operating Effectiveness                 Results of Tests of Operating\n(Related Controls Placed in Operation)                                                           Effectiveness\nthe public domain.                               of personal and public domain software          restricting the use of personal and public\n                                                 and instant messaging.                          domain software and instant messaging.\n\nUsers of CS resources use only software that     Inspected CS procedures for enforcing           Users at four out of five sites did not\nis properly approved and accredited for CS       policies that prohibit personal use of binary   always use software that was properly\nuse.                                             or machine executable public domain             approved or accredited.\n                                                 software, shareware, and freeware by\n                                                 inspecting computers or workstations to\n                                                 determine compliance.\nControl Objective:\nCC-2: Controls provide reasonable assurance that all new and revised software including system software are tested and\ncontrolled.\n\nChanges are controlled as software\nprogresses through testing to final\nimplementation.\n\nProcedures are in place for the testing, test    Inspected policies and procedures for the       No relevant exceptions noted.\nanalysis, test reporting, and approval for       installation, upgrade, and maintenance of\nrelease to operational sites for all system      system software.\nsoftware changes.\n\nFor system software:                             Inquired procedures for modifications to        No relevant exceptions noted.\n    \xe2\x80\xa2 full integration testing is performed      enterprise applications (or other\n        to ensure functionality;                 applications for which CS had change\n    \xe2\x80\xa2 performance and stress testing is          control-related responsibilities), including\n        performed, as required, to identify      patches, upgrades and new applications.\n        impacts on system performance; and\n    \xe2\x80\xa2 security testing is performed for each     Inquired of management regarding whether        Two out of six sites did not fully\n        system software release. Based upon      controls were adequate to prevent the           implement controls to prevent the\n        test results, actions are initiated to   implementation of unauthorized system           implementation of unauthorized system\n        rectify identified software              software or changes to system software.         software or changes to system software.\n\n\n\n                                                                    51\n\x0cControl Techniques                          Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                    Effectiveness\n       deficiencies, performance impacts,\n       and security problems.\n                                            Inspected the test plan standards that have One out of six sites did not fully develop\n                                            been developed for all levels of testing to test plan standards for all levels of testing.\n                                            include:\n                                                \xe2\x80\xa2 definition of responsibilities for\n                                                   each party, including (users, system\n                                                   analysts, programmers, and quality\n                                                   control);\n                                                \xe2\x80\xa2 encompassing procedures for\n                                                   assessing IA and impact on\n                                                   accreditation; and\n                                                \xe2\x80\xa2 requirement for approval before\n                                                   proceeding to the next level of\n                                                   testing.\n\n                                            Inspected if CS had separate environments     No relevant exceptions noted.\n                                            for development, testing, and production.\n\n                                            Inquired of management regarding who          No relevant exceptions noted.\n                                            was responsible for moving changes\n                                            between development, testing, and\n                                            production environments.\n\n                                            Inquired of management regarding how          No relevant exceptions noted.\n                                            access is controlled between these\n                                            environments (development, test, and\n                                            production) for non-end users and\n                                            inspected for compliance.\n\n                                            Inspected the listing to determine whether    CS programmers at one out of six sites had\n                                            CS programmers have access to the             unauthorized access to the production\n                                            production environment, and whether end       environment.\n                                            users have access to the development and\n                                            test environments.\n\n                                                              52\n\x0cControl Techniques                             Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                       Effectiveness\n                                               Inspected whether CS maintains an audit       Three out of six sites did not fully maintain\n                                               trail or log of identified system software    audit trails or logs for system software\n                                               changes and issues to determine that the      changes.\n                                               log included:\n                                                    \xe2\x80\xa2 date, time, and type of event;\n                                                    \xe2\x80\xa2 user identification; and\n                                                    \xe2\x80\xa2 problem description, assigned\n                                                         reviewer, and problem resolution.\nEmergency changes are promptly tested\nand approved.\nEmergency change procedures are                Inquired of management regarding the          No relevant exceptions noted.\ndocumented.                                    policies and procedures in place for\n                                               emergency changes.\n\nEmergency changes are moved into               Inspected the following for emergency         No relevant exceptions noted.\nproduction only after changes are tested and   changes:\ndocumented prior to final approval by the      \xe2\x80\xa2 emergency changes were recorded and\nConfiguration Control Board.                       approved by management;\n                                               \xe2\x80\xa2 normal change request forms and\n                                                   documentation were completed after\n                                                   the emergency change; and\n                                               \xe2\x80\xa2 independent review of changes was\n                                                   performed.\nControl Objective:\nCC-3: Controls provide reasonable assurance that software libraries are controlled.\n\nAccess to program libraries is restricted.\n\nSource code is maintained in separate          Inquired of management to determine that      No relevant exceptions noted.\nlibraries.                                     source code for the most recent version\n                                               was maintained in a separate library from\n\n\n                                                                  53\n\x0cControl Techniques                        Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                  Effectiveness\n                                          production code.\n\n                                          Inspected the access control software rules   No relevant exceptions noted.\n                                          to determine they were clearly defined.\nMovement of programs and data among\nlibraries is controlled.\n\nVerification and acceptance of software   Inspected policies and procedures for         Two out of four sites had incomplete\nchanges is documented and approved and    movement of program code between              procedures for movement of program code\nmovements are controlled.                 libraries.                                    between libraries.\n\n                                          Inspected documentation maintained to         Three out of five sites had incomplete\n                                          track the movements or changes to             documentation to support approvals for the\n                                          determine they were approved.                 movement of program and data among\n                                                                                        libraries.\n\n\n\n\n                                                             54\n\x0cSegregation of Duties\nControl Techniques                              Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                        Effectiveness\nControl Objective:\nSD-1: Controls provide reasonable assurance that incompatible duties are segregated and related policies are established.\n\nIncompatible duties have been identified\nand policies implemented to segregate\nthese duties.\n\nCS Security Handbook describes the job          Inspected policies and procedures             Two out of six sites did not have policies\nresponsibilities that are supplemented by       concerning employee responsibilities and      and procedures addressing employee\nlocal site policies. The job responsibilities   segregation of duties, to address:            responsibilities and segregation of duties.\nare based on roles and responsibilities for         \xe2\x80\xa2 consistency with the current\ndepartment personnel. Service Level                    operating environment;\nAgreements also describe the roles and              \xe2\x80\xa2 identification of sensitive functions\nresponsibilities of CS personnel                       and incompatible duties; and\nresponsible for maintaining the customer            \xe2\x80\xa2 understanding of management and\nplatforms.                                             information systems personnel\xe2\x80\x99s\n                                                       responsibilities about segregation\n                                                       of duties.\n\n                                                Inspected the site\xe2\x80\x99s organization chart       One out of six sites did not have roles\n                                                depicting information security functions      assigned based on appropriate segregation\n                                                and assigned personnel to determine if        of duties.\n                                                individuals were assigned incompatible\n                                                roles.\n\n                                                Reviewed site organization charts depicting Two out of six sites did not have distinct\n                                                information security functions and assigned system support responsibilities that were\n                                                personnel to determine whether              performed by different personnel.\n                                                    \xe2\x80\xa2 the chart reflected the current\n\n\n\n                                                                     55\n\x0cControl Techniques                       Test of Operating Effectiveness                 Results of Tests of Operating\n(Related Controls Placed in Operation)                                                   Effectiveness\n                                                organizational structure;\n                                            \xe2\x80\xa2   each function was staffed by a\n                                                different individual; and\n                                            \xe2\x80\xa2   alternate or backup assignments\n                                                had been made, if applicable,.\n\n                                         Inquired of selected individuals to             No relevant exceptions noted.\n                                         determine if they performed only their\n                                         primary job functions and if secondary\n                                         duties were performed, whether these\n                                         duties created a segregation of duties issue.\n\n                                         Inspected the activities of selected            Personnel at one out of six sites did not\n                                         individuals to determine the nature and         comply with applicable segregation of\n                                         extent of compliance with applicable            duties policies.\n                                         segregation of duties policies.\n\n                                         Inspected to determine whether sites with       One out of six sites did not implement\n                                         limited resources to segregate duties had       appropriate controls over segregation of\n                                         implemented compensating controls.              duties.\nJob descriptions have been documented.\n\nAll civilian personnel have position     Inspected a sample of position descriptions     One out of six sites did not have fully\ndescriptions.                            in different organizational units to            documented position descriptions for all\n                                         determine whether:                              civilian personnel.\n                                             \xe2\x80\xa2 duties were clearly described,\n                                             \xe2\x80\xa2 position descriptions were current,\n                                             \xe2\x80\xa2 job descriptions reflected current\n                                                 responsibilities and duties, and\n                                             \xe2\x80\xa2 technical knowledge, skills, and\n                                                 abilities required for successful\n                                                 performance were included for\n                                                 technical positions.\n\n\n\n                                                               56\n\x0cControl Techniques                             Test of Operating Effectiveness                 Results of Tests of Operating\n(Related Controls Placed in Operation)                                                         Effectiveness\nEmployees understand their duties and\nresponsibilities.\n\nSupervisors maintain copies of position        Inquired of personnel whether their             No relevant exceptions noted.\ndescriptions, and ensure that they correctly   position descriptions match their\nidentify the task and functions required by    understanding of their duties and\nthe position.                                  responsibilities and whether additional\n                                               duties were undertaken that were not listed\n                                               in their position descriptions or\n                                               performance plan.\nSupervisors at all levels develop and          Inquired of management personnel in key         No relevant exceptions noted\nmaintain a performance plan for each           operating and programming positions to\nindividual and ensure that the plan requires   determine if responsibilities for restricting\nthe performance based on the position          access by position descriptions were\ndescription.                                   clearly defined, understood, and followed.\nControl Objective:\nSD-2: Controls provide reasonable assurance that access controls to enforce segregation of duties are established.\n\nManagement reviews effectiveness of\ncontrol techniques.\n\nSelf-inspections of traditional security are   Inquired of management on whether               Two out of six sites did not have\nconducted annually by SM.                      reviews were performed to assess the            comprehensive procedures that required\n                                               adequacy of segregated duties.                  performance reviews to assess the\nSelf-assessments of systems access are                                                         adequacy of segregated duties.\nconducted periodically at direction of IAM.\n\n\n\n\n                                                                      57\n\x0cControl Techniques                          Test of Operating Effectiveness               Results of Tests of Operating\n(Related Controls Placed in Operation)                                                    Effectiveness\nControl Objective:\nSD-3: Controls provide reasonable assurance that personnel activities are controlled through formal operating procedures and\nsupervision and review.\n\nFormal procedures guide personnel in\nperforming their duties.\n\nLocal and enterprise standard operating     Inquired of supervisors and operations        No relevant exceptions noted.\nprocedures identify tasks and functions     personnel to determine if standard\nrequired to enable personnel to perform     operating procedures existed.\ntheir duties.\n                                            Inspected standard operating procedures       Three out of six sites did not have local\n                                            that guide personnel in performing their      standard operating procedures to guide\n                                            duties and determined whether they:           personnel in performing their duties;\n                                                \xe2\x80\xa2 outline the proper steps for            however, personnel were supervised and\n                                                    performing key functions, and         enterprise policies and procedures were in\n                                                \xe2\x80\xa2 reflect the current operating           place.\n                                                    environment.\nActive supervision and review are\nprovided for all personnel.\n\nOperational activities are monitored by     Inquired of supervisors and personnel to      No relevant exceptions noted.\nsupervisors in accordance with procedures   determine the process for monitoring\nstated in the CS Security Handbook.         operational activities.\n\n                                            Inquired of site management to determine      No relevant exceptions noted.\n                                            whether operations were being monitored\n                                            by supervisors as stated in the CS Security\n                                            Handbook.\n\n\n\n\n                                                                 58\n\x0cService Continuity\n\nControl Techniques                              Test of Operating Effectiveness              Results of Tests of Operating\n(Related Controls Placed in Operation)                                                       Effectiveness\nControl Objective:\nSC-2: Controls provide reasonable assurance that data and program backup procedures and environmental controls have\nbeen implemented.\n\nData and program backup procedures\nand environmental controls have been\nimplemented.\n\nFull-volume weekly backups are covered          Inspected policies and procedures for        Six out of sixteen sites did not have formal\nas basic services.                              backing up data files for applications and   documented tape backup procedures that\n                                                networks.                                    were consistently followed.\nAll backup data files are stored off-site.\nThere are normally three different backup       Inspected to determine whether procedures    No relevant exceptions noted.\ncycles (grandfather, father, son) held at the   were in place to assure the physical and\noff-site location. The backup sites are         logical protection of the backup hardware.\nrequired to be, at a minimum, 25 miles\nfrom the supported computing site.              Inspected to determine whether sites had     Two out of sixteen sites did not have\n                                                procedures that identified an off-site       procedures that identified an off-site\nEach site has implemented its own off-site      location for storage of backup tapes.        location for storage of backup tapes.\nand transportation agreements. Most sites\nuse some type of locked containers, and         Inspected to determine how often the site:   Thirteen out of sixteen sites did not have\ninventory system of containers are either           \xe2\x80\xa2 created backups,                       procedures to recover corrupted data files,\nprovided by the contracting service or              \xe2\x80\xa2 rotated backups off-site,              lost programs, and operating systems by\nlocally purchased.                                  \xe2\x80\xa2 tested the backups for completeness    periodically testing backup tapes.\n                                                       of data,\n                                                    \xe2\x80\xa2 tested the backups for potential\n                                                       usability, and\n                                                    \xe2\x80\xa2 retained the backup media.\n\n\n                                                                      59\n\x0cControl Techniques                            Test of Operating Effectiveness                  Results of Tests of Operating\n(Related Controls Placed in Operation)                                                         Effectiveness\n\n                                              Inspected a listing of personnel authorized      Three out of sixteen sites did not fully\n                                              to access off-site facilities to determine if    implement procedures to restrict access to\n                                              access was appropriate based on job              off-site facilities.\n                                              function.\n\n                                              Inspected a listing of tape backups stored       Ten out of sixteen sites did not fully\n                                              off-site to determine that:                      implement procedures to recover backup\n                                                  \xe2\x80\xa2 tape backups existed,                      tapes stored offsite.\n                                                  \xe2\x80\xa2 files could be used to recreate\n                                                       current reports, and\n                                                  \xe2\x80\xa2 tape backups were transported to\n                                                       the off-site facility and back to\n                                                       original location.\n\n                                              Inspected to determine whether the off-site      Ten out of sixteen sites did not fully\n                                              location:                                        implement procedures to control access to\n                                                  \xe2\x80\xa2 was geographically removed from            these sites or facilitate recovery of\n                                                      the primary site,                        operations.\n                                                  \xe2\x80\xa2 had adequate physical and access\n                                                      controls,\n                                                  \xe2\x80\xa2 had boundary defense equivalent to\n                                                      the perimeter security at the\n                                                      primary site, and\n                                                  \xe2\x80\xa2 had appropriate space for storage\n                                                      media and recovery documentation.\n\nEnvironmental Controls comprise the           Inspected data center and off-site facility to   Nine out of sixteen sites did not fully\nfollowing controls.                           determine whether the following                  implement environmental controls.\n                                              environmental controls were in place:\n   \xe2\x80\xa2   Computing facilities and support           \xe2\x80\xa2 fire suppression and prevention\n       areas have automatic notification of          mechanisms that automatically\n       activation of smoke detectors that            activate when they detect heat,\n       alarm locally and at supporting fire          smoke, or particles;\n       department.                                \xe2\x80\xa2 smoke detectors;\n   \xe2\x80\xa2   Some administration areas have             \xe2\x80\xa2 fire extinguishers and sprinklers;\n                                                                     60\n\x0cControl Techniques                            Test of Operating Effectiveness              Results of Tests of Operating\n(Related Controls Placed in Operation)                                                     Effectiveness\n       automatic notification of activation      \xe2\x80\xa2   water detectors;\n       of smoke detectors. Some of these         \xe2\x80\xa2   air conditioning systems;\n       only alarms locally; some alarm           \xe2\x80\xa2   humidity control systems;\n       locally and at the supporting fire        \xe2\x80\xa2   uninterrupted power supply;\n       department.                               \xe2\x80\xa2   backup generators;\n   \xe2\x80\xa2 Fire inspections are made based on          \xe2\x80\xa2   emergency lighting;\n       local site rules.                         \xe2\x80\xa2   automated voltage control; and\n   \xe2\x80\xa2 Computing facilities and support            \xe2\x80\xa2   redundant systems.\n       areas have automatic activation of\n       fire suppression systems.              Inspected to determine whether the data      No relevant exceptions.\n   \xe2\x80\xa2 Administration areas have either         and network center staff were aware of the\n       automatic activation of fire           locations of:\n       suppression systems or hand-held           \xe2\x80\xa2 fire alarms,\n       extinguishers located throughout           \xe2\x80\xa2 fire extinguishers, and\n       the area.                                  \xe2\x80\xa2 master power switches and\n                                                      emergency cut-off switches.\nAll computer facilities have:\n    \xe2\x80\xa2 automatic humidity and\n       temperature controls systems that\n       alarm when established humidity\n       and temperature conditions are\n       exceeded;\n    \xe2\x80\xa2 a master power switch located at or\n       near the main entrance, which is\n       labeled and protected by a cover to\n       prevent accidental shut-off;\n    \xe2\x80\xa2 automatic voltage control systems\n       that alarm if the voltage fluctuates\n       beyond established safe operations\n       levels;\n    \xe2\x80\xa2 a minimum of two electrical feeds;\n    \xe2\x80\xa2 battery powered uninterrupted\n       power system to provide sufficient\n\n\n                                                                   61\n\x0cControl Techniques                           Test of Operating Effectiveness   Results of Tests of Operating\n(Related Controls Placed in Operation)                                         Effectiveness\n       power to all systems in the\n       computer room to allow for at least\n       20 minutes of operations; and\n   \xe2\x80\xa2 backup generators that are set to\n       automatically start-up and generate\n       power when commercial power\n       fails. The generators are tested\n       monthly for operations and power\n       generations. Additional fuel and\n       spare parts are on hand to provide\n       for sustained operations.\n\n\n\n\n                                                                 62\n\x0cSection IV: Supplemental Information Provided by DISA\n\n\n\n\n                         63\n\x0c\x0c                                    Introduction\nThis Statement on Auditing Standards No. 70 (SAS 70) audit resulted in the\nidentification of potential vulnerabilities and process improvement within the areas of\nInformation Security. The audit of DISA CS and associated FSO support, was designed,\nconducted, and reported, in accordance with standards of the American Institute of\nCertified Public Accountants and generally accepted government auditing standards. CS\nfocuses its information system security around and in accordance with DoD Information\nTechnology Security Certification and Accreditation (DoD Instruction 5200.40) and\nother directives.\n\nConnecting a computer to a network inherently introduces security risk to both the\ncomputer and the network. The DITSCAP clearly places the responsibility of balancing\nIT system availability, interoperability, and security on the DAA. The DAA is\nresponsible for the agency\xe2\x80\x99s systems certification and accreditations and the operating\nsites\xe2\x80\x99 authority to operate. The DISA DAA and FSO have provided CS with objective\nand measurable system security requirements that balance levels of risk with military\noperational need for availability and interoperability. Those criteria are delineated\nstrategically and operationally via security instructions and guides, and tactically via\nmeasurable systems configuration criteria. FISCAM was the basis for the SAS 70\nobjectives and techniques. FISCAM is a standard methodology used in the Federal\ngovernment. Accordingly, management clarified the techniques throughout the\nengagement to reflect the CS control environment. Throughout this engagement, CS\nmanagement continued to clarify DoD techniques that deviated from the FISCAM\nmethodology.\n\nThe results of the SAS 70 audit do provide some actionable and valuable strategic focus\nthat will aid CS in solidifying security processes and in guiding overall migration toward\na centrally managed enterprise following its recent Transformation (described below).\nBased upon lessons learned from this initial SAS 70 audit process, it is expected that\nfuture audits will enable an assessment of security posture that will result in less\nreportable vulnerabilities.\n\n\n                   DISA\xe2\x80\x99s Computing Transformation\nThe Combat Support Computing mission is to provide secure, interoperable, and assured\ndata processing that enables the DoD to deploy, employ, and sustain a warfighting force.\nJust as the private sector maximizes advances in technology to improve service delivery\nand harvest savings, CS continues to take advantage of transformational technologies in\norder to improve enterprise IT infrastructure and provide the warfighter with \xe2\x80\x9cbest value\xe2\x80\x9d\ncomputing support. Transformation strategies and objectives for CS include the\nfollowing:\n\n   \xe2\x80\xa2   refine processing, support, and services architecture while taking advantage of\n       increased bandwidth and highly distributed computing and storage capability;\n\n   \xe2\x80\xa2   provide standardized, content-rich computing environments;\n\n   \xe2\x80\xa2   increase system availability by expanding data replication and mirroring;\n\n\n\n                                            65\n\x0c   \xe2\x80\xa2   increase use of centralized automated systems management;\n\n   \xe2\x80\xa2   continue workload consolidation where economies of scale can be achieved;\n\n   \xe2\x80\xa2   facilitate transfer of additional processing support for command and control and\n       intelligence functions into DISA facilities; and\n\n   \xe2\x80\xa2   continue ongoing efforts to support cross-component server applications and\n       facilitate DoD-wide consolidation as the designated provider for all DoD server\n       processing.\n\nOver the past 30 months and throughout the course of the SAS 70 audit, CS was engaged\nin executing a large-scale consolidation plan that included numerous workload\nmigrations, introduction of new technologies, a comprehensive business and operational\nmanagement restructuring, and a reduction-in-force that impacted over 1,000 government\npositions. This highly successful transformation is nearing completion and has included\noperational and technical transitions encompassing 28 mainframe logical partitions, over\n800 customer applications, and over 850 geographically disparate network devices. A\nreview of this report, or any evaluation of security processes, procedures, and\nmanagement controls for CS (or their FSO support), must necessarily consider the impact\nof these transformational changes and the day-to-day operational imperatives that\nremained in effect during the period of this audit. Accordingly, the following is provided\nas a summary of CS\xe2\x80\x99s computing transformation.\n\nTransformation Highlights\n\nThe 2003-2005 transformation of CS represented yet another major step forward in\nproviding cost effective combat support computing to the warfighters. Most importantly,\nthe transformation will allow DoD to preserve military control over combat support\nprocessing as an integral component of the GIG and the \xe2\x80\x9cbest value\xe2\x80\x9d option. The\nfollowing summarizes the key elements of this transformation:\n\n   1. Implementation of assured computing. CS has fully implemented IBM\n      mainframe assured computing that includes a set of initiatives designed to\n      enhance facilities, equipment, communications, and software to ensure that data is\n      continuously available to the warfighters. This has transformed traditional\n      disaster recovery and continuity of operations planning processes to yield\n      previously unattainable levels of availability. Foremost among these initiatives\n      are measures to use remote data replication and mirroring at geographically\n      separate locations to protect against the catastrophic loss of a processing facility,\n      and to mitigate the risks inherent in data center consolidations. CS had previously\n      proven this capability in the Unisys mainframe environment.\n\n   2. Consolidation of mainframe processing. CS operated six mainframe processing\n      sites, five of which supported OS/390 and Z/OS (IBM-based) processing and\n      three of which supported Unisys processing. Mainframe workload was\n      consolidated into three IBM and two Unisys sites in conjunction with\n      implementation of data mirroring and replication.\n\n   3. Consolidation of server processing. CS supported UNIX and Windows NT-based\n      server processing at 15 locations. From FY 2003 to FY 2005, management and\n      administration of these servers were consolidated into four sites, grouped\n      primarily according to the supported Service or Defense agency customer. Given\n\n\n                                           66\n\x0c       the scope and distribution of Defense Finance and Accounting Service systems, a\n       significant portion of the server consolidation involved Defense Finance and\n\n       Accounting Service applications. Some consolidations entailed physical\n       relocation of assets, most; however, were logical migrations of the management\n       functions.\n\n   4. Consolidation of systems management. CS consolidated all systems management\n      functions for mainframe and server computing into four locations with primary\n      and backup support for each operating environment. A \xe2\x80\x9clights-dim\xe2\x80\x9d approach,\n      with touch labor support for remote operations, was implemented at operating\n      sites. Systems management consolidation was implemented in concert with\n      mainframe and server processing consolidation from FY 2003 to FY 2005.\n\n   5. Management restructuring. To achieve further economies of scale in the\n      management and administration of computing operations, CS centralized all\n      business and operational support functions. Over the past 30 months, the former\n      DECC and Detachment structures were eliminated. By the end of FY 2005, CS\n      will consist of one Headquarters component, four production sites (or SMCs), two\n      infrastructure services sites, and several \xe2\x80\x9clights-dim\xe2\x80\x9d server processing sites, as\n      described above. All business, financial, engineering, acquisition, logistics, and\n      administrative functions currently performed in the field today are being\n      integrated and consolidated into a single virtual management organization. The\n      post-transformation site configuration is displayed in Figure 1.\n\n                       Figure 1. DISA Computing Services Site Configuration\n\n\n\n                     Puget Sound\n                                                                                                                 Europe\n                                                           Rock Island\n                                Ogden\n                                                                         Columbus                Mechanicsburg\n\n                                        Denver                                                Chambe rsburg\n                                                                              Dayton\n                                                                                        NCR           Norfolk\n                                                           St Louis\n                    San Diego                Oklahoma\n                                               City                                          Warner Robins\n                                                                 Huntsville                      Warner Robins\n        Hawaii                                                                         Pensacola\n                                          San Antonio          Montgomery\n                 Pacific                                                                       Jacksonville\n\n\n\n\n                                        Headquarters                          Systems Management Centers\n                                                                              (SMC) \xe2\x80\x93 mainframes and servers\n                                        Processing Element\n                                                                              OCONUS Defense Enterprise Computing\n                                        Infrastructure Services Center        Center (DECC)\n\n\n\n\nTechnology Insertion and Technical Management Changes\n\nIn recent years, significant advances have been made in the areas of IT enterprise\narchitectures and management automation. Networks have been designed to separate\n\n\n                                                          67\n\x0cmanagement functions from in-band production, thereby increasing security and enabling\nremote administration of devices and applications. Toolsets have been developed that\nprovide administrators with increased capacity to manage customers\xe2\x80\x99 systems, resulting\nin far superior ratios in terms of environments managed per operator. During the\nplanning phase for the current transformation, CS performed extensive industry research\nand incorporated these concepts into its transformation design. The following briefly\nsummarizes some of the capabilities implemented to support the FY 2003-2005\ntransformation that were still being fully established during the course of the subject\nSAS 70 audit.\n\nCentral Communication Centers\n\nCS established two CCCs to provide centralized network management for all 18 DECC\nsites, thereby improving standardization and configuration management while achieving\nsignificant economies of scale. The core CCC function is to maintain a secure, cost\neffective, efficient, and reliable telecommunications operations environment supporting\nDoD and the warfighters by providing the appropriate event correlation for network and\nsecurity environments within the data centers, and to serve as the SMC escalation\norganization to the Defense Information System Network Regional Network Operations\nCenter, the Service, and Defense agency base level management centers. Utilizing a\nsecure \xe2\x80\x9cout-of-band\xe2\x80\x9d management network, the CCCs support all routing, switching,\nDomain Name Servers, wide area network connectivity to DISA Network Services, and\nnetwork security device operations. The CCCs also employ a Security Management\nTeam that maintains the security functions on the production networks managed by the\nCCCs, including access control and IDS, firewall operations, and configuration\nmanagement.\n\nOut-of-Band (OOB) Network\n\nThe CS out-of-band management network was designed and implemented to support\nsecured remote administration of all CS \xe2\x80\x9cglass house\xe2\x80\x9d (i.e., inside the data center)\ndevices. The out-of-band infrastructure is designed to provide a secure method for\nremote privileged user access and Enterprise System Management data transmission,\nirrespective of whether SMC personnel are physically located in the same building. The\nout-of-band architecture includes virtual private network connectivity and privileged user\naccess accounts based upon the specific functions required by the user. Separate\nindividual user access profiles are issued for Windows, UNIX, and mainframe\nenvironments, and network access and authentication is validated for auditability.\nInternet Protocol Security tunnels are established among all DECCs to the Enterprise\nSystem Management suites located at the two CCC locations for encrypted system\nmanagement data. Tivoli and Hewlett Packard Openview collectors that reside within\nthe out-of-band collect site-specific management data that is then transferred to the\ncentral complex in Oklahoma City and Montgomery.\n\nRemote Systems Management\n\nOne of the key elements of the CS Transformation was to establish remote system\nadministration capabilities. Previously, all 16 data centers maintained operational control\nindependently, which resulted in use of multiple toolsets and procedures. To improve\nstandardization and reduce the ratio of system support personnel to the number of devices\nmanaged, CS made remote systems management a priority and shifted the paradigm from\nlocal ownership and control to that of a virtual enterprise environment. Enterprise\nSystem Management software, such as Hewlett Packard Openview, Tivoli TEC (Tivoli\nEnterprise Console), and Veritas Back-up, was integrated into a common architecture for\n\n                                            68\n\x0cuse by all SMCs. In addition, with remote management as CS\xe2\x80\x99s premise, a complete\nreview of systems administration from an enterprise perspective was performed and\nresulted in more efficient and standard ratios for all mainframe, windows, and UNIX\nenvironments. As discussed above, an out-of-band network infrastructure was designed\nand implemented as the vehicle to provide secure access for remote system management\npersonnel.\n\nCentral Staging Center\n\nTo ensure proper configuration management within the transformed CS, the Operations\nDivision established a \xe2\x80\x9cCentral Staging Center\xe2\x80\x9d to serve as a centralized receipt and\nstaging function for all server and communications hardware and software destined for\nimplementation at DECC locations. This capability represented a marked improvement\nin configuration control by ensuring that all assets received are documented in a standard\nfashion with the standard asset management tools, and staged in accordance with the\nprescribed configuration process. Centralization ensures that all standard process\nrequirements and coordination associated with the incorporation of new assets into the\nproduction operating environment are consistently met, and simplifies large-scale\nimplementations involving assets in multiple locations. Responsibilities include mid-tier\nand communications configuration setup, and application of STIG implementation at the\noperating system, database, network, and web levels. This CS component is staffed with\nlogistics and technical personnel to provide asset management and inventory support and\nensure that all configuration management databases are reconciled.\n\n\n             Security Processes and Other Considerations\nManagement Restructuring and Transitions\n\nAs part of the Transformation plan to centralize all business and operational support\nfunctions within CS, management of all security aspects (information, physical,\npersonnel, etc.) was foremost in terms of departing from the previous decentralized\nmanagement structure inherent in the 5 DECC and 13 Detachment configuration.\nCentralized control, development, and review of all PEs\xe2\x80\x99 SSAAs and authority to operate\ndocuments were implemented site-by-site. Documents and processes were in the process\nof migration from field to centralized management, including transfer of documents and\ntraining of new personnel, throughout the period of the SAS 70 audit process.\n\nOther functions and processes supporting field unit security were also in a state of\ntransition during the SAS 70 audit. For example, configuration management\nresponsibilities, initially planned for centralization, were largely redistributed to the field\nunits, and staff positions were re-instated pending the acquisition of an automated tool.\nTechnical challenges and delays in fully implementing Enterprise System Management\ntools that support the centralized assessment of security status (such as the self-healing\nSRRs and the 6.0 release of FSO\xe2\x80\x99s VMS) have impacted plans to centralize, which has\nrequired re-instatement of field-level security monitoring and processes beyond the\nplanned dates. The out-of-band for SIPRNet and NIPRNet, the installation of separate\nadministrative and production local area networks at all sites, and the migration of all\nnon-production workload to the production local area networks took place during the\nSAS 70 audit. In addition, while this was taking place, the entire CS network\ninfrastructure was migrating toward a new, closed architecture.\n\n\n\n                                              69\n\x0cDuring this dynamic transition, CS continued to make significant improvements in its\nsecurity posture. Examples include the implementation of deny-by-default networks,\nautomated SRRs, closing of ports at the internet-NIPRNet gateways, implementation of\nnetwork security components, daily tracking of Information Assurance Vulnerability\nAlert compliance, an auditable network change process, an auditable connection-\napproval process, encryption of many file transfers and interactive sessions,\nimplementation of Microsoft patch servers, and etc.\n\nSecurity Updates and Coordination\n\nInstallations of Information Assurance Vulnerability Alerts, software patches, and\ncustomer application releases are major causes for scheduled outages. Since CS must\nbalance customer operational imperatives with Information Assurance Vulnerability\nAlert and STIG compliance, customer coordination must be obtained early, followed by\nrigorous adherence to established timeframes, so that vulnerabilities can be eliminated.\nDuring the SAS 70 audit, situations requiring this customer coordination took place;\nhowever, customer approval for the downtime required to implement security\nimprovements was not always attainable.\n\nImproved Security Processes\n\nDuring the SAS 70 audit, many of the findings at various sites were corrected on the spot\nand improved processes were established. While insights gained from external\nexaminers were helpful, the final report covers the entire set of objectives for CS as a\nwhole and, accordingly, does not reflect all iterative corrections and enhancements made\nat individual sites. The following are examples of some of the improvements:\n\n   \xe2\x80\xa2   Several updates to the System Security Authorization Agreement were made\n       during the audit. Additional security policies and procedures were incorporated\n       into the System Security Authorization Agreement that conformed to the\n       recommendations.\n\n   \xe2\x80\xa2   The process for managing DD Form 2875s was modified to ensure they are filled\n       out in a consistent manner and proper authorization for system access is\n       maintained.\n\n   \xe2\x80\xa2   The Security Awareness training program was strengthened at the Headquarters\n       level to ensure that all employees are completing the training on an annual basis.\n\n   \xe2\x80\xa2   Out-processing procedures were refined to ensure all employees (contractor and\n       government) follow the same procedures when their employment terminates.\n\n   \xe2\x80\xa2   Tiger Teams were established to develop or refine procedures in areas where the\n       SAS 70 auditor recommended improvements.\n\n\n                       Continuity of Operations Plan\nCS has an up-to-date contingency plan developed and documented. The Business\nContinuity Plan (BCP) is a contingency plan that, by regulatory requirements within and\nexternal to CS, each CS processing site must develop, maintain, and exercise. CS must\nkeep the BCP up to date, and have the plans evaluated annually for completeness and\n\n\n                                           70\n\x0caccuracy. Based on exercise results, the plan is updated to address identified\ndiscrepancies. The BCP is reviewed annually and tested periodically.\n\nEach CS-managed application has a recovery strategy documented that identifies the\nprocess for recovering that application in response to a disaster or contingency related\nevent. All BCP information, including information on alternate recovery sites and\ntelecommunications, is reviewed annually for accuracy and completeness. During\napplication recovery exercises, the capabilities of alternate sites and telecommunication\nfacilities are confirmed. Where shortfalls exist, they are documented and addressed\nwithin the BCP and their capabilities are tested during subsequent exercises. As part of\nthat documentation and where appropriate, alternate processing sites and\ntelecommunication facilities are identified.\n\nThe BCP is reviewed annually for accuracy and completeness and subjected to a BCP\nwalk-through exercise, using the appropriate team members, as well as an audit of the\nrelated off-site storage programs and facility. In addition, selected applications are\nsubjected to application recovery exercises involving a physical relocation of primary\nproduction processing to a documented alternate location.\n\nCS has established policies governing the timely development and distribution of\nexercise after action reports, as well as requirements for addressing identified\ndiscrepancies within the BCP. Action reports are due, in final form, within four weeks\nafter the completion of any application recovery exercise. They are distributed to the\nappropriate customer personnel and are used as starting points for the updating and\nrefinement of the relevant sections of the BCP.\n\n\n                                      Summary\nFrom the DISA perspective, this initial SAS 70 audit proved to be a challenging\nundertaking in terms of timing, process, and methodology. Performing an audit of this\nmagnitude and complexity is undoubtedly a difficult task even in the most stable of\noperating environments. Attempting this in the middle of a full-scale transformation of\nthe CS enterprise required unprecedented effort on everyone\xe2\x80\x99s part and, unfortunately,\ncomplicated the task for all involved. Notwithstanding limitations in the results obtained\nas discussed above, this audit has provided a foundation upon which to continue\nimproving processes and procedures essential to maintaining proper information security\nin all areas.\n\n\n\n\n                                            71\n\x0cAcronyms and Abbreviations\nBCP       Business Continuity Plan\nCCC       Communications Control Center\nCIO       Chief Information Officer\nCS        Center for Computing Services\nDAA       Designated Approving Authority\nDECC      Defense Enterprise Computing Centers\nDISA      Defense Information System Agency\nDITSCAP   Defense Information Technology Certification and Accreditation Process\nDoD       Department of Defense\nFSO       Field Security Operations\nGIG       Global Information Grid\nGSA       General Services Administration\nIA        Information Assurance\nIAM       Information Assurance Manager\nIAO       Information Assurance Officer\nIDS       Intrusion Detection System\nISC       Infrastructure Services Center\nIT        Information Technology\nMAC       Mission Assurance Category\nOMB       Office of Management and Budget\nOST       Operations Support Team\nPE        Processing Element\nSA        System Administrator\nSAS       Statement on Auditing Standards\nSM        Security Manager\nSMC       System Management Center\nSRR       Security Readiness Review\nSSO       Systems Support Office\nSTIG      Security Technical Implementation Guide\nVMS       Vulnerability Management System\n\n\n\n\n                                      72\n\x0cReport Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Command\nInspector General, U.S. Joint Forces Command\nCommander, U.S. Strategic Command\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\nGovernment Accountability Office\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\n\n\n                                          73\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member (cont\xe2\x80\x99d)\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        74\n\x0cTeam Members\nThe Defense Financial Auditing Service, in conjunction with contract auditors\nfrom Price Waterhouse Coopers and the Technical Assessment Division of the\nDepartment of Defense Office of the Inspector General (DoD OIG), prepared this\nreport. Personnel of the Quantitative Methods Division, DoD OIG, also\ncontributed to the report.\n\nPaul J. Granetto\nPatricia A. Marsh\nAddie M. Beima\nMichael Perkins\nKenneth H. Stavenjord\nSuzette L. Luecke\nLTC Shurman Vines\nPeter C. Johnson\nAhn Tran\nMichael Davitt\nChanda D. Lee\nJason E. Alt\nWalter J. Carney\nEric T. Thacker\nCindy L. Gladden\nChi H. Lam\nBrian M. Stumpo\nWen-Tswan Chen\n\x0c'